Out-of-bounds memory access due to malformed HDR image file #94572
Labels
No Label
Interest
Alembic
Interest
Animation & Rigging
Interest
Asset System
Interest
Audio
Interest
Automated Testing
Interest
Blender Asset Bundle
Interest
BlendFile
Interest
Collada
Interest
Compatibility
Interest
Compositing
Interest
Core
Interest
Cycles
Interest
Dependency Graph
Interest
Development Management
Interest
EEVEE
Interest
Freestyle
Interest
Geometry Nodes
Interest
Grease Pencil
Interest
ID Management
Interest
Images & Movies
Interest
Import Export
Interest
Line Art
Interest
Masking
Interest
Metal
Interest
Modeling
Interest
Modifiers
Interest
Motion Tracking
Interest
Nodes & Physics
Interest
OpenGL
Interest
Overlay
Interest
Overrides
Interest
Performance
Interest
Physics
Interest
Pipeline, Assets & IO
Interest
Platforms, Builds & Tests
Interest
Python API
Interest
Render & Cycles
Interest
Render Pipeline
Interest
Sculpt, Paint & Texture
Interest
Text Editor
Interest
Translations
Interest
Triaging
Interest
Undo
Interest
USD
Interest
User Interface
Interest
UV Editing
Interest
VFX & Video
Interest
Video Sequencer
Interest
Viewport & EEVEE
Interest
Virtual Reality
Interest
Vulkan
Interest
Wayland
Interest
Workbench
Interest: X11
Legacy
Asset Browser Project
Legacy
Blender 2.8 Project
Legacy
Milestone 1: Basic, Local Asset Browser
Legacy
OpenGL Error
Meta
Good First Issue
Meta
Papercut
Meta
Retrospective
Meta
Security
Module
Animation & Rigging
Module
Core
Module
Development Management
Module
Grease Pencil
Module
Modeling
Module
Nodes & Physics
Module
Pipeline, Assets & IO
Module
Platforms, Builds & Tests
Module
Python API
Module
Render & Cycles
Module
Sculpt, Paint & Texture
Module
Triaging
Module
User Interface
Module
VFX & Video
Module
Viewport & EEVEE
Platform
FreeBSD
Platform
Linux
Platform
macOS
Platform
Windows
Severity
High
Severity
Low
Severity
Normal
Severity
Unbreak Now!
Status
Archived
Status
Confirmed
Status
Duplicate
Status
Needs Info from Developers
Status
Needs Information from User
Status
Needs Triage
Status
Resolved
Type
Bug
Type
Design
Type
Known Issue
Type
Patch
Type
Report
Type
To Do
No Milestone
No project
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: blender/blender#94572
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
System Information
Operating system: Windows-10-10.0.19044-SP0 64 Bits
Graphics card: Radeon RX 580 Series ATI Technologies Inc. 4.5.14761 Core Profile Context 21.10.3 30.0.13031.1001
Blender Version
Broken: version: 3.1.0 Alpha, branch: master, commit date: 2021-12-31 20:32, hash:
6844304dda
Broken: version: 2.93.8 Release Candidate, branch: master, commit date: 2021-12-15 14:37, hash:
59a48cc43d
Worked: -
Short description of error
An HDR image (loaded as a texture, for example) may specify a negative width or height, leading to invalid size and address calculations.
Cause
The parsing in
imb_loadhdr
declaresint width
and parses it from the input file usingsscanf
with the%d
format at source/blender/imbuf/intern/radiance_hdr.c:252. There is no check for negative sizes such as -1.Allocation of the ImBuf structure succeeds, since the internal
MEM_callocN
adds the size of a small structure before callingmalloc()
, thus ensuring thatmalloc
is called with a reasonable (small) size parameter.The end result is that a small pixel buffer is allocated, and
ImBuf->x
orImBuf->y
are negative.Exact steps for others to reproduce the error
The following input file illustrates the problem.
oobw_rotate_54.hdr
The interesting fields are on the third line: "-Y" indicates that the image needs to be flipped. 64 is the height and -1 is the width.
oobw_rotate_54.hdr
.Impact
Depending on the input file and the
flags
parameter toimb_loadhdr
, this can have one of several effects. The most severe is the potential for malicious code execution, as a consequence of out-of-bounds memory access.Input file with "-Y" and a negative width
The call to
IMB_flipy()
at line 307 will lead to an out of bounds write.Input file with "Y" and flag
IB_rect
usedThe call to
IMB_rect_from_float()
at line 311 will lead to an out of bounds write.Input file with "Y", negative width and flag
IB_floatrect
usedimb_loadhdr
will fail to identify the fault and return an invalidImBuf
, which has a small pixel buffer allocated and negative dimensions. The potential impact of this ranges from a crash (out of bounds reads due to the small buffer) to potential code execution (out of bounds write on the small buffer).Proposed mitigation
Check
width
andheight
right after parsing them withsscanf
. There appears to be no reason to allow negative values.Added subscriber: @eldstal
Added subscriber: @deadpin
Changed status from 'Needs Triage' to: 'Confirmed'
Confirmed, and it would be fixed with D11952. I'll push to get that committed sometime soon.
Thanks for taking a look at this so quickly!
I can confirm that the patch in D11952 includes a fix for this issue.
This issue was referenced by
1ee4e6bf31
This issue was referenced by
77616082f4
Changed status from 'Confirmed' to: 'Resolved'
This vulnerability has been assigned CVE-2022-0546 by the Red Hat CNA.