CVE-2022-0544: ⚓ T94661 Out-of-bounds memory access due to malformed DDS image file

System Information
Operating system: Windows-10-10.0.19044-SP0 64 Bits
Graphics card: Radeon RX 580 Series ATI Technologies Inc. 4.5.14761 Core Profile Context 21.10.3 30.0.13031.1001

Blender Version
Broken: version: 3.1.0 Alpha, branch: master, commit date: 2021-12-31 20:32, hash: rB6844304dda49
Broken: version: 2.93.8 Release Candidate, branch: master, commit date: 2021-12-15 14:37, hash: rB59a48cc43daf
Worked: -

Short description of error
A DDS image may be smaller than expected, leading to an integer underflow and an out-of-bounds read.

Cause
The size calculation at source/blender/imbuf/intern/dds/DirectDrawSurface.cpp:1117 assumes that the total stream size is larger than the DDS header (128 Bytes).
A file with an otherwise valid header, but a file size smaller than 128 bytes can reach this point. uint size underflows to 0xffffffff, which is clearly larger than the buffer.
This large size also bypasses the bounds check in mem_read() at source/blender/imbuf/intern/dds/Stream.cpp:87 due to another integer overflow.

Exact steps for others to reproduce the error
The following input file illustrates the problem.

oobr_DirectDrawSurface_1123.dds127 BDownload

1. Start with the default new project
2. Open the material panel.
3. Set the material “base color” of the default cube to “Image texture”
4. Load the texture file oobr_DirectDrawSurface_1123.dds.

After a second or so, Blender crashes.

Impact
An out-of-bounds read can potentially be used to bypass security mechanisms such as stack cookies or pointer encryption.

Proposed mitigation

1. Add a bounds check in DirectDrawSurface::readData()
2. Possibly harden dds/Stream against similar overflows by using a wider datatype during comparisons.