Out-of-bounds memory access due to malformed DDS image file #94661

New Issue

System Information
Operating system: Windows-10-10.0.19044-SP0 64 Bits
Graphics card: Radeon RX 580 Series ATI Technologies Inc. 4.5.14761 Core Profile Context 21.10.3 30.0.13031.1001

Blender Version
Broken: version: 3.1.0 Alpha, branch: master, commit date: 2021-12-31 20:32, hash: 6844304dda
Broken: version: 2.93.8 Release Candidate, branch: master, commit date: 2021-12-15 14:37, hash: 59a48cc43d
Worked: -

Short description of error
A DDS image may be smaller than expected, leading to an integer underflow and an out-of-bounds read.

Cause
The size calculation at source/blender/imbuf/intern/dds/DirectDrawSurface.cpp:1117 assumes that the total stream size is larger than the DDS header (128 Bytes).
A file with an otherwise valid header, but a file size smaller than 128 bytes can reach this point. uint size underflows to 0xffffffff, which is clearly larger than the buffer.
This large size also bypasses the bounds check in mem_read() at source/blender/imbuf/intern/dds/Stream.cpp:87 due to another integer overflow.

Exact steps for others to reproduce the error
The following input file illustrates the problem.

oobr_DirectDrawSurface_1123.dds

Start with the default new project
Open the material panel.
Set the material "base color" of the default cube to "Image texture"
Load the texture file oobr_DirectDrawSurface_1123.dds.

After a second or so, Blender crashes.

Impact
An out-of-bounds read can potentially be used to bypass security mechanisms such as stack cookies or pointer encryption.

Proposed mitigation

Add a bounds check in DirectDrawSurface::readData()
Possibly harden dds/Stream against similar overflows by using a wider datatype during comparisons.

**System Information** Operating system: Windows-10-10.0.19044-SP0 64 Bits Graphics card: Radeon RX 580 Series ATI Technologies Inc. 4.5.14761 Core Profile Context 21.10.3 30.0.13031.1001 **Blender Version** Broken: version: 3.1.0 Alpha, branch: master, commit date: 2021-12-31 20:32, hash: `6844304dda` Broken: version: 2.93.8 Release Candidate, branch: master, commit date: 2021-12-15 14:37, hash: `59a48cc43d` Worked: - **Short description of error** A DDS image may be smaller than expected, leading to an integer underflow and an out-of-bounds read. **Cause** The size calculation at `source/blender/imbuf/intern/dds/DirectDrawSurface.cpp:1117` assumes that the total stream size is larger than the DDS header (128 Bytes). A file with an otherwise valid header, but a file size smaller than 128 bytes can reach this point. `uint size` underflows to `0xffffffff`, which is clearly larger than the buffer. This large size also bypasses the bounds check in `mem_read()` at `source/blender/imbuf/intern/dds/Stream.cpp:87` due to another integer overflow. **Exact steps for others to reproduce the error** The following input file illustrates the problem. [oobr_DirectDrawSurface_1123.dds](https://archive.blender.org/developer/F12789977/oobr_DirectDrawSurface_1123.dds) 1. Start with the default new project 2. Open the material panel. 3. Set the material "base color" of the default cube to "Image texture" 4. Load the texture file `oobr_DirectDrawSurface_1123.dds`. After a second or so, Blender crashes. **Impact** An out-of-bounds read can potentially be used to bypass security mechanisms such as stack cookies or pointer encryption. **Proposed mitigation** 1. Add a bounds check in `DirectDrawSurface::readData()` 2. Possibly harden `dds/Stream` against similar overflows by using a wider datatype during comparisons.

Added subscriber: @eldstal

Added subscribers: @Sergey, @lichtwerk

Changed status from 'Needs Triage' to: 'Confirmed'

Can confirm.

#94629 (Out-of-bounds memory access in IMB_flipy() due to large image dimensions) / D11952: Fix #89542: Crash when loading certain .hdr files are related.

CC @Sergey

Can confirm. #94629 (Out-of-bounds memory access in IMB_flipy() due to large image dimensions) / [D11952: Fix #89542: Crash when loading certain .hdr files](https://archive.blender.org/developer/D11952) are related. CC @Sergey

Added subscriber: @EAW

#86952 (Heap Buffer Overflow when viewing dds thumbnails in the file browser.) I would think is also related, as it involves a Heap Buffer overflow in the dds flipping function.
https://developer.blender.org/diffusion/B/browse/master/source/blender/imbuf/intern/dds/FlipDXT.cpp

#86952 (Heap Buffer Overflow when viewing dds thumbnails in the file browser.) I would think is also related, as it involves a Heap Buffer overflow in the dds flipping function. https://developer.blender.org/diffusion/B/browse/master/source/blender/imbuf/intern/dds/FlipDXT.cpp

This issue was referenced by 0ac83d05d7

This issue was referenced by 0ac83d05d7cccec436bb939e0aa768f6a3d77d72

This issue was referenced by bbad834f1c

This issue was referenced by bbad834f1c2a1f7030ed9741c486b23241e8885e

This issue was referenced by d9dd8c287f

This issue was referenced by d9dd8c287f57716a827483973c31bbb2face2816

Changed status from 'Confirmed' to: 'Resolved'

This vulnerability has been assigned CVE-2022-0544 by the Red Hat CNA.

Download

What's New

Blender Studio

Manual

Developers Blog

Documentation

Benchmark

Blender Conference

Development Fund

One-time Donations

Out-of-bounds memory access due to malformed DDS image file #94661