blender
/
blender
129
398
Fork 572
Code Issues 6.2k Pull Requests 746 Projects 19 Wiki Activity

Fix T94629: The IMB_flip API would fail with large images 

Fix IMB_flip[xy] to handle cases where integer overflow might occur when
given sufficiently large image dimensions.

All of these fixes were of a similar class where the intermediate
sub-expression would overflow silently. Widen the types as necessary.

Differential Revision: https://developer.blender.org/D13744
This commit is contained in:
Jesse Yurkovich 2022-01-06 21:35:04 -08:00 committed by Philipp Oeser
parent e38a0eea5c
commit e07f16776b
Notes: blender-bot 2023-02-14 06:46:23 +01:00 
Referenced by issue #88449: Blender LTS: Maintenance Task 2.93
Referenced by issue #88449, Blender LTS: Maintenance Task 2.93
Referenced by issue #94629, Out-of-bounds memory access in IMB_flipy() due to large image dimensions
1 changed files with 34 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
source/blender/imbuf/intern/rotate.c
View File

@ -32,7 +32,7 @@
void IMB_flipy(struct ImBuf *ibuf)
{
int x, y;
size_t x_size, y_size;
if (ibuf == NULL) {
return;
@ -41,21 +41,23 @@ void IMB_flipy(struct ImBuf *ibuf)
if (ibuf->rect) {
unsigned int *top, *bottom, *line;
x = ibuf->x;
y = ibuf->y;
x_size = ibuf->x;
y_size = ibuf->y;
const size_t stride = x_size * sizeof(int);
top = ibuf->rect;
bottom = top + ((y - 1) * x);
line = MEM_mallocN(x * sizeof(int), "linebuf");
bottom = top + ((y_size - 1) * x_size);
line = MEM_mallocN(stride, "linebuf");
y >>= 1;
y_size >>= 1;
for (; y > 0; y--) {
memcpy(line, top, x * sizeof(int));
memcpy(top, bottom, x * sizeof(int));
memcpy(bottom, line, x * sizeof(int));
bottom -= x;
top += x;
for (; y_size > 0; y_size--) {
memcpy(line, top, stride);
memcpy(top, bottom, stride);
memcpy(bottom, line, stride);
bottom -= x_size;
top += x_size;
}
MEM_freeN(line);
@ -64,21 +66,23 @@ void IMB_flipy(struct ImBuf *ibuf)
if (ibuf->rect_float) {
float *topf = NULL, *bottomf = NULL, *linef = NULL;
x = ibuf->x;
y = ibuf->y;
x_size = ibuf->x;
y_size = ibuf->y;
const size_t stride = x_size * 4 * sizeof(float);
topf = ibuf->rect_float;
bottomf = topf + 4 * ((y - 1) * x);
linef = MEM_mallocN(4 * x * sizeof(float), "linebuff");
bottomf = topf + 4 * ((y_size - 1) * x_size);
linef = MEM_mallocN(stride, "linebuf");
y >>= 1;
y_size >>= 1;
for (; y > 0; y--) {
memcpy(linef, topf, 4 * x * sizeof(float));
memcpy(topf, bottomf, 4 * x * sizeof(float));
memcpy(bottomf, linef, 4 * x * sizeof(float));
bottomf -= 4 * x;
topf += 4 * x;
for (; y_size > 0; y_size--) {
memcpy(linef, topf, stride);
memcpy(topf, bottomf, stride);
memcpy(bottomf, linef, stride);
bottomf -= 4 * x_size;
topf += 4 * x_size;
}
MEM_freeN(linef);
@ -99,20 +103,22 @@ void IMB_flipx(struct ImBuf *ibuf)
if (ibuf->rect) {
for (yi = y - 1; yi >= 0; yi--) {
const size_t x_offset = (size_t)x * yi;
for (xr = x - 1, xl = 0; xr >= xl; xr--, xl++) {
SWAP(unsigned int, ibuf->rect[(x * yi) + xr], ibuf->rect[(x * yi) + xl]);
SWAP(unsigned int, ibuf->rect[x_offset + xr], ibuf->rect[x_offset + xl]);
}
}
}
if (ibuf->rect_float) {
for (yi = y - 1; yi >= 0; yi--) {
const size_t x_offset = (size_t)x * yi;
for (xr = x - 1, xl = 0; xr >= xl; xr--, xl++) {
memcpy(&px_f, &ibuf->rect_float[((x * yi) + xr) * 4], sizeof(float[4]));
memcpy(&ibuf->rect_float[((x * yi) + xr) * 4],
&ibuf->rect_float[((x * yi) + xl) * 4],
memcpy(&px_f, &ibuf->rect_float[(x_offset + xr) * 4], sizeof(float[4]));
memcpy(&ibuf->rect_float[(x_offset + xr) * 4],
&ibuf->rect_float[(x_offset + xl) * 4],
sizeof(float[4]));
memcpy(&ibuf->rect_float[((x * yi) + xl) * 4], &px_f, sizeof(float[4]));
memcpy(&ibuf->rect_float[(x_offset + xl) * 4], &px_f, sizeof(float[4]));
}
}
}