Out-of-bounds memory access due to malformed DDS image file #94661
Labels
No Label
Interest
Alembic
Interest
Animation & Rigging
Interest
Asset Browser
Interest
Asset Browser Project Overview
Interest
Audio
Interest
Automated Testing
Interest
Blender Asset Bundle
Interest
BlendFile
Interest
Collada
Interest
Compatibility
Interest
Compositing
Interest
Core
Interest
Cycles
Interest
Dependency Graph
Interest
Development Management
Interest
EEVEE
Interest
EEVEE & Viewport
Interest
Freestyle
Interest
Geometry Nodes
Interest
Grease Pencil
Interest
ID Management
Interest
Images & Movies
Interest
Import Export
Interest
Line Art
Interest
Masking
Interest
Metal
Interest
Modeling
Interest
Modifiers
Interest
Motion Tracking
Interest
Nodes & Physics
Interest
OpenGL
Interest
Overlay
Interest
Overrides
Interest
Performance
Interest
Physics
Interest
Pipeline, Assets & IO
Interest
Platforms, Builds & Tests
Interest
Python API
Interest
Render & Cycles
Interest
Render Pipeline
Interest
Sculpt, Paint & Texture
Interest
Text Editor
Interest
Translations
Interest
Triaging
Interest
Undo
Interest
USD
Interest
User Interface
Interest
UV Editing
Interest
VFX & Video
Interest
Video Sequencer
Interest
Virtual Reality
Interest
Vulkan
Interest
Wayland
Interest
Workbench
Interest: X11
Legacy
Blender 2.8 Project
Legacy
Milestone 1: Basic, Local Asset Browser
Legacy
OpenGL Error
Meta
Good First Issue
Meta
Papercut
Meta
Retrospective
Meta
Security
Module
Animation & Rigging
Module
Core
Module
Development Management
Module
EEVEE & Viewport
Module
Grease Pencil
Module
Modeling
Module
Nodes & Physics
Module
Pipeline, Assets & IO
Module
Platforms, Builds & Tests
Module
Python API
Module
Render & Cycles
Module
Sculpt, Paint & Texture
Module
Triaging
Module
User Interface
Module
VFX & Video
Platform
FreeBSD
Platform
Linux
Platform
macOS
Platform
Windows
Priority
High
Priority
Low
Priority
Normal
Priority
Unbreak Now!
Status
Archived
Status
Confirmed
Status
Duplicate
Status
Needs Info from Developers
Status
Needs Information from User
Status
Needs Triage
Status
Resolved
Type
Bug
Type
Design
Type
Known Issue
Type
Patch
Type
Report
Type
To Do
No Milestone
No project
No Assignees
5 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: blender/blender#94661
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
System Information
Operating system: Windows-10-10.0.19044-SP0 64 Bits
Graphics card: Radeon RX 580 Series ATI Technologies Inc. 4.5.14761 Core Profile Context 21.10.3 30.0.13031.1001
Blender Version
Broken: version: 3.1.0 Alpha, branch: master, commit date: 2021-12-31 20:32, hash:
6844304dda
Broken: version: 2.93.8 Release Candidate, branch: master, commit date: 2021-12-15 14:37, hash:
59a48cc43d
Worked: -
Short description of error
A DDS image may be smaller than expected, leading to an integer underflow and an out-of-bounds read.
Cause
The size calculation at
source/blender/imbuf/intern/dds/DirectDrawSurface.cpp:1117
assumes that the total stream size is larger than the DDS header (128 Bytes).A file with an otherwise valid header, but a file size smaller than 128 bytes can reach this point.
uint size
underflows to0xffffffff
, which is clearly larger than the buffer.This large size also bypasses the bounds check in
mem_read()
atsource/blender/imbuf/intern/dds/Stream.cpp:87
due to another integer overflow.Exact steps for others to reproduce the error
The following input file illustrates the problem.
oobr_DirectDrawSurface_1123.dds
oobr_DirectDrawSurface_1123.dds
.After a second or so, Blender crashes.
Impact
An out-of-bounds read can potentially be used to bypass security mechanisms such as stack cookies or pointer encryption.
Proposed mitigation
DirectDrawSurface::readData()
dds/Stream
against similar overflows by using a wider datatype during comparisons.Added subscriber: @eldstal
Added subscribers: @Sergey, @lichtwerk
Changed status from 'Needs Triage' to: 'Confirmed'
Can confirm.
#94629 (Out-of-bounds memory access in IMB_flipy() due to large image dimensions) / D11952: Fix #89542: Crash when loading certain .hdr files are related.
CC @Sergey
Added subscriber: @EAW
#86952 (Heap Buffer Overflow when viewing dds thumbnails in the file browser.) I would think is also related, as it involves a Heap Buffer overflow in the dds flipping function.
https://developer.blender.org/diffusion/B/browse/master/source/blender/imbuf/intern/dds/FlipDXT.cpp
This issue was referenced by
0ac83d05d7
This issue was referenced by
bbad834f1c
This issue was referenced by
d9dd8c287f
Changed status from 'Confirmed' to: 'Resolved'
This vulnerability has been assigned CVE-2022-0544 by the Red Hat CNA.