blender
/
blender
76
262
Fork 358
Code Issues 5.9k Pull Requests 551 Projects 19 Wiki Activity

Out-of-bounds memory access due to malformed HDR image file #94572

New Issue
Closed
opened 2022-01-02 11:56:32 +01:00 by Albin Eldstål-Ahrens · 9 comments
Albin Eldstål-Ahrens commented 2022-01-02 11:56:32 +01:00

System Information
Operating system: Windows-10-10.0.19044-SP0 64 Bits
Graphics card: Radeon RX 580 Series ATI Technologies Inc. 4.5.14761 Core Profile Context 21.10.3 30.0.13031.1001

Blender Version
Broken: version: 3.1.0 Alpha, branch: master, commit date: 2021-12-31 20:32, hash: 6844304dda
Broken: version: 2.93.8 Release Candidate, branch: master, commit date: 2021-12-15 14:37, hash: 59a48cc43d
Worked: -

Short description of error
An HDR image (loaded as a texture, for example) may specify a negative width or height, leading to invalid size and address calculations.

Cause
The parsing in imb_loadhdr declares int width and parses it from the input file using sscanf with the %d format at source/blender/imbuf/intern/radiance_hdr.c:252. There is no check for negative sizes such as -1.

Allocation of the ImBuf structure succeeds, since the internal MEM_callocN adds the size of a small structure before calling malloc(), thus ensuring that malloc is called with a reasonable (small) size parameter.

The end result is that a small pixel buffer is allocated, and ImBuf->x or ImBuf->y are negative.

Exact steps for others to reproduce the error
The following input file illustrates the problem.

oobw_rotate_54.hdr

#?RADIANCE

-Y 64 +X -1
0
666666666666666666666

The interesting fields are on the third line: "-Y" indicates that the image needs to be flipped. 64 is the height and -1 is the width.

  1. Start with the default new project
  2. Open the material panel.
  3. Set the material "base color" of the default cube to "Image texture"
  4. Load the texture file oobw_rotate_54.hdr.

Impact
Depending on the input file and the flags parameter to imb_loadhdr, this can have one of several effects. The most severe is the potential for malicious code execution, as a consequence of out-of-bounds memory access.

Input file with "-Y" and a negative width
The call to IMB_flipy() at line 307 will lead to an out of bounds write.

Input file with "Y" and flag IB_rect used
The call to IMB_rect_from_float() at line 311 will lead to an out of bounds write.

Input file with "Y", negative width and flag IB_floatrect used
imb_loadhdr will fail to identify the fault and return an invalid ImBuf, which has a small pixel buffer allocated and negative dimensions. The potential impact of this ranges from a crash (out of bounds reads due to the small buffer) to potential code execution (out of bounds write on the small buffer).

Proposed mitigation
Check width and height right after parsing them with sscanf. There appears to be no reason to allow negative values.

**System Information** Operating system: Windows-10-10.0.19044-SP0 64 Bits Graphics card: Radeon RX 580 Series ATI Technologies Inc. 4.5.14761 Core Profile Context 21.10.3 30.0.13031.1001 **Blender Version** Broken: version: 3.1.0 Alpha, branch: master, commit date: 2021-12-31 20:32, hash: `6844304dda` Broken: version: 2.93.8 Release Candidate, branch: master, commit date: 2021-12-15 14:37, hash: `59a48cc43d` Worked: - **Short description of error** An HDR image (loaded as a texture, for example) may specify a negative width or height, leading to invalid size and address calculations. **Cause** The parsing in `imb_loadhdr` declares `int width` and parses it from the input file using `sscanf` with the `%d` format at source/blender/imbuf/intern/radiance_hdr.c:252. There is no check for negative sizes such as -1. Allocation of the ImBuf structure succeeds, since the internal `MEM_callocN` adds the size of a small structure before calling `malloc()`, thus ensuring that `malloc` is called with a reasonable (small) size parameter. The end result is that a small pixel buffer is allocated, and `ImBuf->x` or `ImBuf->y` are negative. **Exact steps for others to reproduce the error** The following input file illustrates the problem. [oobw_rotate_54.hdr](https://archive.blender.org/developer/F12785137/oobw_rotate_54.hdr) ``` #?RADIANCE -Y 64 +X -1 0 666666666666666666666 ``` The interesting fields are on the third line: "-Y" indicates that the image needs to be flipped. 64 is the height and -1 is the width. 1. Start with the default new project 2. Open the material panel. 3. Set the material "base color" of the default cube to "Image texture" 4. Load the texture file `oobw_rotate_54.hdr`. **Impact** Depending on the input file and the `flags` parameter to `imb_loadhdr`, this can have one of several effects. The most severe is the potential for malicious code execution, as a consequence of out-of-bounds memory access. __Input file with "-Y" and a negative width__ The call to `IMB_flipy()` at line 307 will lead to an out of bounds write. __Input file with "Y" and flag `IB_rect` used__ The call to `IMB_rect_from_float()` at line 311 will lead to an out of bounds write. __Input file with "Y", negative width and flag `IB_floatrect` used__ `imb_loadhdr` will fail to identify the fault and return an invalid `ImBuf`, which has a small pixel buffer allocated and negative dimensions. The potential impact of this ranges from a crash (out of bounds reads due to the small buffer) to potential code execution (out of bounds write on the small buffer). **Proposed mitigation** Check `width` and `height` right after parsing them with `sscanf`. There appears to be no reason to allow negative values.
Albin Eldstål-Ahrens commented 2022-01-02 11:56:32 +01:00
Poster

Added subscriber: @eldstal

Added subscriber: @eldstal
Jesse Yurkovich commented 2022-01-02 12:12:31 +01:00
Collaborator

Added subscriber: @deadpin

Added subscriber: @deadpin
Jesse Yurkovich commented 2022-01-02 12:12:31 +01:00
Collaborator

Changed status from 'Needs Triage' to: 'Confirmed'

Changed status from 'Needs Triage' to: 'Confirmed'
Jesse Yurkovich commented 2022-01-02 12:12:31 +01:00
Collaborator

Confirmed, and it would be fixed with D11952. I'll push to get that committed sometime soon.

Confirmed, and it would be fixed with [D11952](https://archive.blender.org/developer/D11952). I'll push to get that committed sometime soon.
Albin Eldstål-Ahrens commented 2022-01-02 17:03:15 +01:00
Poster

Thanks for taking a look at this so quickly!

I can confirm that the patch in D11952 includes a fix for this issue.

Thanks for taking a look at this so quickly! I can confirm that the patch in [D11952](https://archive.blender.org/developer/D11952) includes a fix for this issue.
blender-admin commented 2022-01-12 05:48:32 +01:00
Collaborator

This issue was referenced by 1ee4e6bf31

This issue was referenced by 1ee4e6bf31ff32f87f9cd1eafa548d6811794380
blender-admin commented 2022-01-12 05:48:32 +01:00
Collaborator

This issue was referenced by 77616082f4

This issue was referenced by 77616082f44da5258faf9ec0d53618c721b88c62
Jesse Yurkovich commented 2022-01-12 05:59:26 +01:00
Collaborator

Changed status from 'Confirmed' to: 'Resolved'

Changed status from 'Confirmed' to: 'Resolved'
Jesse Yurkovich self-assigned this 2022-01-12 05:59:26 +01:00
Albin Eldstål-Ahrens commented 2022-02-09 11:30:49 +01:00
Poster

This vulnerability has been assigned CVE-2022-0546 by the Red Hat CNA.

This vulnerability has been assigned CVE-2022-0546 by the Red Hat CNA.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
blender-v3.6-release
universal-scene-description
temp-sculpt-dyntopo
blender-v3.3-release
asset-browser-frontend-split
brush-assets-project
asset-shelf
anim/armature-drawing-refactor-3
temp-sculpt-dyntopo-hive-alloc
tmp-usd-python-mtl
tmp-usd-3.6
blender-v3.5-release
blender-projects-basics
blender-v2.93-release
temp-sculpt-attr-api
realtime-clock
sculpt-dev
gpencil-next
bevelv2
microfacet_hair
xr-dev
principled-v2
v3.6.3
v3.3.11
v3.6.2
v3.3.10
v3.6.1
v3.3.9
v3.6.0
v3.3.8
v3.3.7
v2.93.18
v3.5.1
v3.3.6
v2.93.17
v3.5.0
v2.93.16
v3.3.5
v3.3.4
v2.93.15
v2.93.14
v3.3.3
v2.93.13
v2.93.12
v3.4.1
v3.3.2
v3.4.0
v3.3.1
v2.93.11
v3.3.0
v3.2.2
v2.93.10
v3.2.1
v3.2.0
v2.83.20
v2.93.9
v3.1.2
v3.1.1
v3.1.0
v2.83.19
v2.93.8
v3.0.1
v2.93.7
v3.0.0
v2.93.6
v2.93.5
v2.83.18
v2.93.4
v2.93.3
v2.83.17
v2.93.2
v2.93.1
v2.83.16
v2.93.0
v2.83.15
v2.83.14
v2.83.13
v2.92.0
v2.83.12
v2.91.2
v2.83.10
v2.91.0
v2.83.9
v2.83.8
v2.83.7
v2.90.1
v2.83.6.1
v2.83.6
v2.90.0
v2.83.5
v2.83.4
v2.83.3
v2.83.2
v2.83.1
v2.83
v2.82a
v2.82
v2.81a
v2.81
v2.80
v2.80-rc3
v2.80-rc2
v2.80-rc1
v2.79b
v2.79a
v2.79
v2.79-rc2
v2.79-rc1
v2.78c
v2.78b
v2.78a
v2.78
v2.78-rc2
v2.78-rc1
v2.77a
v2.77
v2.77-rc2
v2.77-rc1
v2.76b
v2.76a
v2.76
v2.76-rc3
v2.76-rc2
v2.76-rc1
v2.75a
v2.75
v2.75-rc2
v2.75-rc1
v2.74
v2.74-rc4
v2.74-rc3
v2.74-rc2
v2.74-rc1
v2.73a
v2.73
v2.73-rc1
v2.72b
2.72b
v2.72a
v2.72
v2.72-rc1
v2.71
v2.71-rc2
v2.71-rc1
v2.70a
v2.70
v2.70-rc2
v2.70-rc
v2.69
v2.68a
v2.68
v2.67b
v2.67a
v2.67
v2.66a
v2.66
v2.65a
v2.65
v2.64a
v2.64
v2.63a
v2.63
v2.61
v2.60a
v2.60
v2.59
v2.58a
v2.58
v2.57b
v2.57a
v2.57
v2.56a
v2.56
v2.55
v2.54
v2.53
v2.52
v2.51
v2.50
v2.49b
v2.49a
v2.49
v2.48a
v2.48
v2.47
v2.46
v2.45
v2.44
v2.43
v2.42a
v2.42
v2.41
v2.40
v2.37a
v2.37
v2.36
v2.35a
v2.35
v2.34
v2.33a
v2.33
v2.32
v2.31a
v2.31
v2.30
v2.28c
v2.28a
v2.28
v2.27
v2.26
v2.25
Labels
Apply labels
Clear labels   
Interest
Alembic
   
Interest
Animation & Rigging
   
Interest
Asset Browser
   
Interest
Asset Browser Project Overview
   
Interest
Audio
   
Interest
Automated Testing
   
Interest
Blender Asset Bundle
   
Interest
BlendFile
   
Interest
Collada
   
Interest
Compatibility
This issue affects/is about backward or forward compatibility   
Interest
Compositing
   
Interest
Core
   
Interest
Cycles
   
Interest
Dependency Graph
   
Interest
Development Management
   
Interest
EEVEE & Viewport
   
Interest
Freestyle
   
Interest
Geometry Nodes
   
Interest
Grease Pencil
   
Interest
ID Management
   
Interest
Images & Movies
   
Interest
Import Export
   
Interest
Line Art
   
Interest
Masking
   
Interest
Metal
   
Interest
Modeling
   
Interest
Modifiers
   
Interest
Motion Tracking
   
Interest
Nodes & Physics
   
Interest
OpenGL
   
Interest
Overrides
   
Interest
Performance
   
Interest
Physics
   
Interest
Pipeline, Assets & IO
   
Interest
Platforms, Builds & Tests
   
Interest
Python API
   
Interest
Render & Cycles
   
Interest
Render Pipeline
   
Interest
Sculpt, Paint & Texture
   
Interest
Text Editor
   
Interest
Translations
   
Interest
Triaging
   
Interest
Undo
   
Interest
USD
   
Interest
User Interface
   
Interest
UV Editing
   
Interest
VFX & Video
   
Interest
Video Sequencer
   
Interest
Virtual Reality
   
Interest
Vulkan
  
Interest: Wayland
  
Legacy
Blender 2.8 Project
   
Legacy
Milestone 1: Basic, Local Asset Browser
   
Legacy
OpenGL Error
  
Meta
Good First Issue
   
Meta
Papercut
   
Meta
Retrospective
   
Meta
Security
Issues relating to security: https://wiki.blender.org/wiki/Process/Vulnerability_Reports
  
Module
Animation & Rigging
   
Module
Core
   
Module
Development Management
   
Module
EEVEE & Viewport
   
Module
Grease Pencil
   
Module
Modeling
   
Module
Nodes & Physics
   
Module
Pipeline, Assets & IO
   
Module
Platforms, Builds & Tests
   
Module
Python API
   
Module
Render & Cycles
   
Module
Sculpt, Paint & Texture
   
Module
Triaging
   
Module
User Interface
   
Module
VFX & Video
  
Platform
FreeBSD
   
Platform
Linux
   
Platform
macOS
   
Platform
Windows
  
Priority
High
   
Priority
Low
   
Priority
Normal
   
Priority
Unbreak Now!
  
Status
Archived
   
Status
Confirmed
   
Status
Duplicate
   
Status
Needs Info from Developers
   
Status
Needs Information from User
   
Status
Needs Triage
   
Status
Resolved
  
Type
Bug
   
Type
Design
   
Type
Known Issue
   
Type
Patch
   
Type
Report
   
Type
To Do
No Label
Interest
Alembic
Interest
Animation & Rigging
Interest
Asset Browser
Interest
Asset Browser Project Overview
Interest
Audio
Interest
Automated Testing
Interest
Blender Asset Bundle
Interest
BlendFile
Interest
Collada
Interest
Compatibility
Interest
Compositing
Interest
Core
Interest
Cycles
Interest
Dependency Graph
Interest
Development Management
Interest
EEVEE & Viewport
Interest
Freestyle
Interest
Geometry Nodes
Interest
Grease Pencil
Interest
ID Management
Interest
Images & Movies
Interest
Import Export
Interest
Line Art
Interest
Masking
Interest
Metal
Interest
Modeling
Interest
Modifiers
Interest
Motion Tracking
Interest
Nodes & Physics
Interest
OpenGL
Interest
Overrides
Interest
Performance
Interest
Physics
Interest
Pipeline, Assets & IO
Interest
Platforms, Builds & Tests
Interest
Python API
Interest
Render & Cycles
Interest
Render Pipeline
Interest
Sculpt, Paint & Texture
Interest
Text Editor
Interest
Translations
Interest
Triaging
Interest
Undo
Interest
USD
Interest
User Interface
Interest
UV Editing
Interest
VFX & Video
Interest
Video Sequencer
Interest
Virtual Reality
Interest
Vulkan
Interest: Wayland
Legacy
Blender 2.8 Project
Legacy
Milestone 1: Basic, Local Asset Browser
Legacy
OpenGL Error
Meta
Good First Issue
Meta
Papercut
Meta
Retrospective
Meta
Security
Module
Animation & Rigging
Module
Core
Module
Development Management
Module
EEVEE & Viewport
Module
Grease Pencil
Module
Modeling
Module
Nodes & Physics
Module
Pipeline, Assets & IO
Module
Platforms, Builds & Tests
Module
Python API
Module
Render & Cycles
Module
Sculpt, Paint & Texture
Module
Triaging
Module
User Interface
Module
VFX & Video
Platform
FreeBSD
Platform
Linux
Platform
macOS
Platform
Windows
Priority
High
Priority
Low
Priority
Normal
Priority
Unbreak Now!
Status
Archived
Status
Confirmed
Status
Duplicate
Status
Needs Info from Developers
Status
Needs Information from User
Status
Needs Triage
Status
Resolved
Type
Bug
Type
Design
Type
Known Issue
Type
Patch
Type
Report
Type
To Do
Milestone
Set milestone
Clear milestone
No items
No Milestone
Projects
Set Project
Clear projects
No project
Assignees
Assign users
Clear assignees
No Assignees
Jesse Yurkovich
3 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: blender/blender#94572
There is no content yet.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may exist for a short time before cleaning up, in most cases it CANNOT be undone. Continue?