Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-0545: ⚓ T94629 Out-of-bounds memory access in IMB_flipy() due to large image dimensions

An integer overflow in the processing of loaded 2D images leads to a write-what-where vulnerability and an out-of-bounds read vulnerability, allowing an attacker to leak sensitive information or achieve code execution in the context of the Blender process when a specially crafted image file is loaded. This flaw affects Blender versions prior to 2.83.19, 2.93.8 and 3.1.

CVE
#vulnerability#windows

System Information
Operating system: Windows-10-10.0.19044-SP0 64 Bits
Graphics card: Radeon RX 580 Series ATI Technologies Inc. 4.5.14761 Core Profile Context 21.10.3 30.0.13031.1001

Blender Version
Broken: version: 3.1.0 Alpha, branch: master, commit date: 2021-12-31 20:32, hash: rB6844304dda49
Broken: version: 2.93.8 Release Candidate, branch: master, commit date: 2021-12-15 14:37, hash: rB59a48cc43daf
Worked: -

Short description of error
A loaded (and valid) image (ImBuf*) can be crafted such that an out-of-bounds read or write occurs when the image is flipped vertically. In at least one IMB loader, flipping is performed on image load and without further user input.

Cause
IMB_flipy() in source/blender/imbuf/intern/rotate.c is missing a bounds check after lines 48 and 71. As a result, a in ImBuf with large dimensions can cause bottomf to wrap around and point to an address before topf.

By tuning the dimensions of the image carefully, an attacker can choose exactly where bottomf points, and have data written there from the input image.

Notes
While the provided example is an HDR image, this issue is independent of the HDR parsing code and thus also of the fix in D11952.

Exact steps for others to reproduce the error
The following input file (an HDR image) illustrates the problem. Call imb_loadhdr() with flags=IB_rectfloat on it to trigger a crash in IMB_flipy().

#?RADIANCE

-Y 96 -Y 9630838

To see the crash in the latest alpha build of Blender, follow these steps:

  1. Start with the default new project
  2. Open the material panel.
  3. Set the material “base color” of the default cube to “Image texture”
  4. Load the texture file segv_rotate_78.hdr.

Impact
An attacker-controlled out-of-bounds write can realistically be used to obtain code execution in the blender process. For example, a return address on the stack or a function pointer in a known location in memory can be overwritten.

Proposed mitigation
Fail if bottomf <= topf, in both codepaths. I’m not able to provide a trivial patch for this, since IMB_flipy() has not been designed with a failure mechanism. Someone better acquainted with the various users of flipy needs to weigh in on a proper fix.

Related news

Gentoo Linux Security Advisory 202403-02

Gentoo Linux Security Advisory 202403-2 - Multiple vulnerabilities have been discovered in Blender, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 3.1.0 are affected.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907