Headline
CVE-2022-0546: ⚓ T94572 Out-of-bounds memory access due to malformed HDR image file
A missing bounds check in the image loader used in Blender 3.x and 2.93.8 leads to out-of-bounds heap access, allowing an attacker to cause denial of service, memory corruption or potentially code execution.
System Information
Operating system: Windows-10-10.0.19044-SP0 64 Bits
Graphics card: Radeon RX 580 Series ATI Technologies Inc. 4.5.14761 Core Profile Context 21.10.3 30.0.13031.1001
Blender Version
Broken: version: 3.1.0 Alpha, branch: master, commit date: 2021-12-31 20:32, hash: rB6844304dda49
Broken: version: 2.93.8 Release Candidate, branch: master, commit date: 2021-12-15 14:37, hash: rB59a48cc43daf
Worked: -
Short description of error
An HDR image (loaded as a texture, for example) may specify a negative width or height, leading to invalid size and address calculations.
Cause
The parsing in imb_loadhdr declares int width and parses it from the input file using sscanf with the %d format at source/blender/imbuf/intern/radiance_hdr.c:252. There is no check for negative sizes such as -1.
Allocation of the ImBuf structure succeeds, since the internal MEM_callocN adds the size of a small structure before calling malloc(), thus ensuring that malloc is called with a reasonable (small) size parameter.
The end result is that a small pixel buffer is allocated, and ImBuf->x or ImBuf->y are negative.
Exact steps for others to reproduce the error
The following input file illustrates the problem.
#?RADIANCE
-Y 64 +X -1 0 666666666666666666666
The interesting fields are on the third line: "-Y" indicates that the image needs to be flipped. 64 is the height and -1 is the width.
- Start with the default new project
- Open the material panel.
- Set the material “base color” of the default cube to “Image texture”
- Load the texture file oobw_rotate_54.hdr.
Impact
Depending on the input file and the flags parameter to imb_loadhdr, this can have one of several effects. The most severe is the potential for malicious code execution, as a consequence of out-of-bounds memory access.
Input file with "-Y" and a negative width
The call to IMB_flipy() at line 307 will lead to an out of bounds write.
Input file with “Y” and flag IB_rect used
The call to IMB_rect_from_float() at line 311 will lead to an out of bounds write.
Input file with "Y", negative width and flag IB_floatrect used
imb_loadhdr will fail to identify the fault and return an invalid ImBuf, which has a small pixel buffer allocated and negative dimensions. The potential impact of this ranges from a crash (out of bounds reads due to the small buffer) to potential code execution (out of bounds write on the small buffer).
Proposed mitigation
Check width and height right after parsing them with sscanf. There appears to be no reason to allow negative values.
Related news
Gentoo Linux Security Advisory 202403-2 - Multiple vulnerabilities have been discovered in Blender, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 3.1.0 are affected.