From bbad834f1c2a1f7030ed9741c486b23241e8885e Mon Sep 17 00:00:00 2001
From: Sergey Sharybin <sergey@blender.org>
Date: Mon, 10 Jan 2022 14:26:57 +0100
Subject: Fix T94661: Out-of-bounds memory access due to malformed DDS image
 file

Harden bounds check in the stream reader avoiding integer overflow.
---
 source/blender/imbuf/intern/dds/Stream.cpp | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)

diff --git a/source/blender/imbuf/intern/dds/Stream.cpp b/source/blender/imbuf/intern/dds/Stream.cpp
index 3dab3c35675..31bf2076ed1 100644
--- a/source/blender/imbuf/intern/dds/Stream.cpp
+++ b/source/blender/imbuf/intern/dds/Stream.cpp
@@ -26,6 +26,21 @@
 static const char *msg_error_seek = "DDS: trying to seek beyond end of stream (corrupt file?)";
 static const char *msg_error_read = "DDS: trying to read beyond end of stream (corrupt file?)";
 
+inline bool is_read_within_bounds(const Stream &mem, unsigned int cnt)
+{
+  if (mem.pos >= mem.size) {
+    /* No more data remained in the memory buffer. */
+    return false;
+  }
+
+  if (cnt > mem.size - mem.pos) {
+    /* Reading past the memory bounds. */
+    return false;
+  }
+
+  return true;
+}
+
 unsigned int Stream::seek(unsigned int p)
 {
   if (p > size) {
@@ -40,7 +55,7 @@ unsigned int Stream::seek(unsigned int p)
 
 unsigned int mem_read(Stream &mem, unsigned long long &i)
 {
-  if (mem.pos + 8 > mem.size) {
+  if (!is_read_within_bounds(mem, 8)) {
     mem.set_failed(msg_error_seek);
     return 0;
   }
@@ -51,7 +66,7 @@ unsigned int mem_read(Stream &mem, unsigned long long &i)
 
 unsigned int mem_read(Stream &mem, unsigned int &i)
 {
-  if (mem.pos + 4 > mem.size) {
+  if (!is_read_within_bounds(mem, 4)) {
     mem.set_failed(msg_error_read);
     return 0;
   }
@@ -62,7 +77,7 @@ unsigned int mem_read(Stream &mem, unsigned int &i)
 
 unsigned int mem_read(Stream &mem, unsigned short &i)
 {
-  if (mem.pos + 2 > mem.size) {
+  if (!is_read_within_bounds(mem, 2)) {
     mem.set_failed(msg_error_read);
     return 0;
   }
@@ -73,7 +88,7 @@ unsigned int mem_read(Stream &mem, unsigned short &i)
 
 unsigned int mem_read(Stream &mem, unsigned char &i)
 {
-  if (mem.pos + 1 > mem.size) {
+  if (!is_read_within_bounds(mem, 1)) {
     mem.set_failed(msg_error_read);
     return 0;
   }
@@ -84,7 +99,7 @@ unsigned int mem_read(Stream &mem, unsigned char &i)
 
 unsigned int mem_read(Stream &mem, unsigned char *i, unsigned int cnt)
 {
-  if (mem.pos + cnt > mem.size) {
+  if (!is_read_within_bounds(mem, cnt)) {
     mem.set_failed(msg_error_read);
     return 0;
   }
-- 
cgit v1.2.3