diff options
| author | Sergey Sharybin <sergey@blender.org> | 2022-01-10 16:26:57 +0300 |
|---|---|---|
| committer | Philipp Oeser <info@graphics-engineer.com> | 2022-01-18 12:08:02 +0300 |
| commit | 0ac83d05d7cccec436bb939e0aa768f6a3d77d72 (patch) | |
| tree | 08dc8e616e2a7a2f4dab1d74a0a86d0de9ce95a1 | |
| parent | 0b2ea1d69bdc2c4c3b35bb9430bf3659888fe5d4 (diff) | |
Fix T94661: Out-of-bounds memory access due to malformed DDS image file
Harden bounds check in the stream reader avoiding integer overflow.
| -rw-r--r-- | source/blender/imbuf/intern/dds/Stream.cpp | 25 |
1 files changed, 20 insertions, 5 deletions
diff --git a/source/blender/imbuf/intern/dds/Stream.cpp b/source/blender/imbuf/intern/dds/Stream.cpp index 271717f165c..a0a5a75ef8d 100644 --- a/source/blender/imbuf/intern/dds/Stream.cpp +++ b/source/blender/imbuf/intern/dds/Stream.cpp @@ -26,6 +26,21 @@ static const char *msg_error_seek = "DDS: trying to seek beyond end of stream (corrupt file?)"; static const char *msg_error_read = "DDS: trying to read beyond end of stream (corrupt file?)"; +inline bool is_read_within_bounds(const Stream &mem, unsigned int cnt) +{ + if (mem.pos >= mem.size) { + /* No more data remained in the memory buffer. */ + return false; + } + + if (cnt > mem.size - mem.pos) { + /* Reading past the memory bounds. */ + return false; + } + + return true; +} + unsigned int Stream::seek(unsigned int p) { if (p > size) { @@ -40,7 +55,7 @@ unsigned int Stream::seek(unsigned int p) unsigned int mem_read(Stream &mem, unsigned long long &i) { - if (mem.pos + 8 > mem.size) { + if (!is_read_within_bounds(mem, 8)) { mem.set_failed(msg_error_seek); return (0); } @@ -51,7 +66,7 @@ unsigned int mem_read(Stream &mem, unsigned long long &i) unsigned int mem_read(Stream &mem, unsigned int &i) { - if (mem.pos + 4 > mem.size) { + if (!is_read_within_bounds(mem, 4)) { mem.set_failed(msg_error_read); return (0); } @@ -62,7 +77,7 @@ unsigned int mem_read(Stream &mem, unsigned int &i) unsigned int mem_read(Stream &mem, unsigned short &i) { - if (mem.pos + 2 > mem.size) { + if (!is_read_within_bounds(mem, 2)) { mem.set_failed(msg_error_read); return (0); } @@ -73,7 +88,7 @@ unsigned int mem_read(Stream &mem, unsigned short &i) unsigned int mem_read(Stream &mem, unsigned char &i) { - if (mem.pos + 1 > mem.size) { + if (!is_read_within_bounds(mem, 1)) { mem.set_failed(msg_error_read); return (0); } @@ -84,7 +99,7 @@ unsigned int mem_read(Stream &mem, unsigned char &i) unsigned int mem_read(Stream &mem, unsigned char *i, unsigned int cnt) { - if (mem.pos + cnt > mem.size) { + if (!is_read_within_bounds(mem, cnt)) { mem.set_failed(msg_error_read); return (0); } |