Fix T94661: Out-of-bounds memory access due to malformed DDS image file
Harden bounds check in the stream reader avoiding integer overflow.
This commit is contained in:
parent
d294d19d21
commit
bbad834f1c
Notes:
blender-bot
2023-02-14 04:40:22 +01:00
Referenced by issue #88449: Blender LTS: Maintenance Task 2.93 Referenced by issue #88449, Blender LTS: Maintenance Task 2.93 Referenced by issue #94661, Out-of-bounds memory access due to malformed DDS image file
|
@ -26,6 +26,21 @@
|
|||
static const char *msg_error_seek = "DDS: trying to seek beyond end of stream (corrupt file?)";
|
||||
static const char *msg_error_read = "DDS: trying to read beyond end of stream (corrupt file?)";
|
||||
|
||||
inline bool is_read_within_bounds(const Stream &mem, unsigned int cnt)
|
||||
{
|
||||
if (mem.pos >= mem.size) {
|
||||
/* No more data remained in the memory buffer. */
|
||||
return false;
|
||||
}
|
||||
|
||||
if (cnt > mem.size - mem.pos) {
|
||||
/* Reading past the memory bounds. */
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
unsigned int Stream::seek(unsigned int p)
|
||||
{
|
||||
if (p > size) {
|
||||
|
@ -40,7 +55,7 @@ unsigned int Stream::seek(unsigned int p)
|
|||
|
||||
unsigned int mem_read(Stream &mem, unsigned long long &i)
|
||||
{
|
||||
if (mem.pos + 8 > mem.size) {
|
||||
if (!is_read_within_bounds(mem, 8)) {
|
||||
mem.set_failed(msg_error_seek);
|
||||
return 0;
|
||||
}
|
||||
|
@ -51,7 +66,7 @@ unsigned int mem_read(Stream &mem, unsigned long long &i)
|
|||
|
||||
unsigned int mem_read(Stream &mem, unsigned int &i)
|
||||
{
|
||||
if (mem.pos + 4 > mem.size) {
|
||||
if (!is_read_within_bounds(mem, 4)) {
|
||||
mem.set_failed(msg_error_read);
|
||||
return 0;
|
||||
}
|
||||
|
@ -62,7 +77,7 @@ unsigned int mem_read(Stream &mem, unsigned int &i)
|
|||
|
||||
unsigned int mem_read(Stream &mem, unsigned short &i)
|
||||
{
|
||||
if (mem.pos + 2 > mem.size) {
|
||||
if (!is_read_within_bounds(mem, 2)) {
|
||||
mem.set_failed(msg_error_read);
|
||||
return 0;
|
||||
}
|
||||
|
@ -73,7 +88,7 @@ unsigned int mem_read(Stream &mem, unsigned short &i)
|
|||
|
||||
unsigned int mem_read(Stream &mem, unsigned char &i)
|
||||
{
|
||||
if (mem.pos + 1 > mem.size) {
|
||||
if (!is_read_within_bounds(mem, 1)) {
|
||||
mem.set_failed(msg_error_read);
|
||||
return 0;
|
||||
}
|
||||
|
@ -84,7 +99,7 @@ unsigned int mem_read(Stream &mem, unsigned char &i)
|
|||
|
||||
unsigned int mem_read(Stream &mem, unsigned char *i, unsigned int cnt)
|
||||
{
|
||||
if (mem.pos + cnt > mem.size) {
|
||||
if (!is_read_within_bounds(mem, cnt)) {
|
||||
mem.set_failed(msg_error_read);
|
||||
return 0;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue