diff options
author | Brecht Van Lommel <brechtvanlommel@gmail.com> | 2018-01-14 16:19:57 +0300 |
---|---|---|
committer | Brecht Van Lommel <brechtvanlommel@gmail.com> | 2018-01-17 21:59:47 +0300 |
commit | d30cc1ea0b9ba64d8a1e22105528b6cb8077692c (patch) | |
tree | 8064a8a4e305a042a8e5d6efbf26b917ca189a3e /source/blender/avi/intern/avi_rgb.c | |
parent | a6700362c71c3978acd53762e1f2e11e7f7a38b5 (diff) |
Fix buffer overflows in TIFF, PNG, IRIS, DPX, HDR and AVI loading.
Solves these security issues from T52924:
CVE-2017-2899
CVE-2017-2900
CVE-2017-2901
CVE-2017-2902
CVE-2017-2903
CVE-2017-2904
CVE-2017-2905
CVE-2017-2906
CVE-2017-2907
CVE-2017-2918
Differential Revision: https://developer.blender.org/D2999
Diffstat (limited to 'source/blender/avi/intern/avi_rgb.c')
-rw-r--r-- | source/blender/avi/intern/avi_rgb.c | 90 |
1 files changed, 47 insertions, 43 deletions
diff --git a/source/blender/avi/intern/avi_rgb.c b/source/blender/avi/intern/avi_rgb.c index 632ecad61a6..f0baf7c6c14 100644 --- a/source/blender/avi/intern/avi_rgb.c +++ b/source/blender/avi/intern/avi_rgb.c @@ -40,11 +40,12 @@ #include "AVI_avi.h" #include "avi_rgb.h" +#include "IMB_imbuf.h" + /* implementation */ -void *avi_converter_from_avi_rgb(AviMovie *movie, int stream, unsigned char *buffer, int *size) +void *avi_converter_from_avi_rgb(AviMovie *movie, int stream, unsigned char *buffer, size_t *size) { - int x, y, i, rowstride; unsigned char *buf; AviBitmapInfoHeader *bi; short bits = 32; @@ -60,33 +61,35 @@ void *avi_converter_from_avi_rgb(AviMovie *movie, int stream, unsigned char *buf #ifdef __BIG_ENDIAN__ unsigned char *pxla; #endif - - buf = MEM_mallocN(movie->header->Height * movie->header->Width * 3, "fromavirgbbuf"); - y = movie->header->Height; - to = buf; + buf = imb_alloc_pixels(movie->header->Height, movie->header->Width, 3, sizeof(unsigned char), "fromavirgbbuf"); + + if (buf) { + size_t y = movie->header->Height; + to = buf; + + while (y--) { + pxl = (unsigned short *) (buffer + y * movie->header->Width * 2); - while (y--) { - pxl = (unsigned short *) (buffer + y * movie->header->Width * 2); - #ifdef __BIG_ENDIAN__ - pxla = (unsigned char *)pxl; + pxla = (unsigned char *)pxl; #endif - x = movie->header->Width; - while (x--) { + size_t x = movie->header->Width; + while (x--) { #ifdef __BIG_ENDIAN__ - i = pxla[0]; - pxla[0] = pxla[1]; - pxla[1] = i; - - pxla += 2; + int i = pxla[0]; + pxla[0] = pxla[1]; + pxla[1] = i; + + pxla += 2; #endif - - *(to++) = ((*pxl >> 10) & 0x1f) * 8; - *(to++) = ((*pxl >> 5) & 0x1f) * 8; - *(to++) = (*pxl & 0x1f) * 8; - pxl++; + + *(to++) = ((*pxl >> 10) & 0x1f) * 8; + *(to++) = ((*pxl >> 5) & 0x1f) * 8; + *(to++) = (*pxl & 0x1f) * 8; + pxl++; + } } } @@ -95,48 +98,49 @@ void *avi_converter_from_avi_rgb(AviMovie *movie, int stream, unsigned char *buf return buf; } else { - buf = MEM_mallocN(movie->header->Height * movie->header->Width * 3, "fromavirgbbuf"); - - rowstride = movie->header->Width * 3; - if ((bits != 16) && (movie->header->Width % 2)) rowstride++; - - for (y = 0; y < movie->header->Height; y++) { - memcpy(&buf[y * movie->header->Width * 3], &buffer[((movie->header->Height - 1) - y) * rowstride], movie->header->Width * 3); - } + buf = imb_alloc_pixels(movie->header->Height, movie->header->Width, 3, sizeof(unsigned char), "fromavirgbbuf"); - for (y = 0; y < movie->header->Height * movie->header->Width * 3; y += 3) { - i = buf[y]; - buf[y] = buf[y + 2]; - buf[y + 2] = i; + if (buf) { + size_t rowstride = movie->header->Width * 3; + if ((bits != 16) && (movie->header->Width % 2)) rowstride++; + + for (size_t y = 0; y < movie->header->Height; y++) { + memcpy(&buf[y * movie->header->Width * 3], &buffer[((movie->header->Height - 1) - y) * rowstride], movie->header->Width * 3); + } + + for (size_t y = 0; y < (size_t)movie->header->Height * (size_t)movie->header->Width * 3; y += 3) { + int i = buf[y]; + buf[y] = buf[y + 2]; + buf[y + 2] = i; + } } - + MEM_freeN(buffer); - + return buf; } } -void *avi_converter_to_avi_rgb(AviMovie *movie, int stream, unsigned char *buffer, int *size) +void *avi_converter_to_avi_rgb(AviMovie *movie, int stream, unsigned char *buffer, size_t *size) { - int y, x, i, rowstride; unsigned char *buf; (void)stream; /* unused */ - rowstride = movie->header->Width * 3; + size_t rowstride = movie->header->Width * 3; /* AVI files has uncompressed lines 4-byte aligned */ rowstride = (rowstride + 3) & ~3; *size = movie->header->Height * rowstride; buf = MEM_mallocN(*size, "toavirgbbuf"); - for (y = 0; y < movie->header->Height; y++) { + for (size_t y = 0; y < movie->header->Height; y++) { memcpy(&buf[y * rowstride], &buffer[((movie->header->Height - 1) - y) * movie->header->Width * 3], movie->header->Width * 3); } - for (y = 0; y < movie->header->Height; y++) { - for (x = 0; x < movie->header->Width * 3; x += 3) { - i = buf[y * rowstride + x]; + for (size_t y = 0; y < movie->header->Height; y++) { + for (size_t x = 0; x < movie->header->Width * 3; x += 3) { + int i = buf[y * rowstride + x]; buf[y * rowstride + x] = buf[y * rowstride + x + 2]; buf[y * rowstride + x + 2] = i; } |