Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package blender for openSUSE:Factory checked in at 2022-02-21 17:46:31 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/blender (Old) and /work/SRC/openSUSE:Factory/.blender.new.1958 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "blender" Mon Feb 21 17:46:31 2022 rev:157 rq:956164 version:3.0.1 Changes: -------- --- /work/SRC/openSUSE:Factory/blender/blender.changes 2022-02-05 23:23:49.643660329 +0100 +++ /work/SRC/openSUSE:Factory/.blender.new.1958/blender.changes 2022-02-21 17:47:32.767610923 +0100 @@ -1,0 +2,10 @@ +Sat Feb 19 16:44:47 UTC 2022 - Hans-Peter Jansen <h...@urpla.net> + +- Apply 0001-Fix-T94661-Out-of-bounds-memory-access-due-to-malfor.patch + Fix for CVE-2022-0544 (boo#1195740) +- Apply 0001-Fix-T94629-The-IMB_flip-API-would-fail-with-large-im.patch + Fix for CVE-2022-0545 (boo#1195739) +- Apply 0001-Fix-T89542-Crash-when-loading-certain-.hdr-files.patch + Fix for CVE-2022-0546 (boo#1195738) + +------------------------------------------------------------------- New: ---- 0001-Fix-T89542-Crash-when-loading-certain-.hdr-files.patch 0001-Fix-T94629-The-IMB_flip-API-would-fail-with-large-im.patch 0001-Fix-T94661-Out-of-bounds-memory-access-due-to-malfor.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ blender.spec ++++++ --- /var/tmp/diff_new_pack.UXut2x/_old 2022-02-21 17:47:33.647611184 +0100 +++ /var/tmp/diff_new_pack.UXut2x/_new 2022-02-21 17:47:33.651611186 +0100 @@ -81,6 +81,12 @@ Patch0: reproducible.patch # https://github.com/bartoszek/AUR-blender-2.83-git/blob/master/openexr3.patch Patch1: blender-293-openexr3.patch +# PATCH-FIX-OPENSUSE https://developer.blender.org/T94661 Fix for CVE-2022-0544 +Patch2: 0001-Fix-T94661-Out-of-bounds-memory-access-due-to-malfor.patch +# PATCH-FIX-OPENSUSE https://developer.blender.org/T94629 Fix for CVE-2022-0545 +Patch3: 0001-Fix-T94629-The-IMB_flip-API-would-fail-with-large-im.patch +# PATCH-FIX-OPENSUSE https://developer.blender.org/T94572 Fix for CVE-2022-0546 +Patch4: 0001-Fix-T89542-Crash-when-loading-certain-.hdr-files.patch BuildRequires: OpenColorIO-devel >= 2.0 BuildRequires: OpenEXR-devel BuildRequires: OpenImageIO ++++++ 0001-Fix-T89542-Crash-when-loading-certain-.hdr-files.patch ++++++ >From 77616082f44da5258faf9ec0d53618c721b88c62 Mon Sep 17 00:00:00 2001 From: Jesse Yurkovich <jess...@gmail.com> Date: Tue, 11 Jan 2022 20:48:32 -0800 Subject: [PATCH] Fix T89542: Crash when loading certain .hdr files The direct cause of the bug in question was passing in the raw memory buffer to sscanf. It should be called with a null-terminated buffer; which isn't guaranteed when blindly trusting the file data. When attempting to fuzz this code path, a variety of other crashes were discovered and fixed. Differential Revision: https://developer.blender.org/D11952 --- source/blender/imbuf/intern/radiance_hdr.c | 28 +++++++++++++++++----- 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/source/blender/imbuf/intern/radiance_hdr.c b/source/blender/imbuf/intern/radiance_hdr.c index 7f4e4dd31df..0bca68b93bc 100644 --- a/source/blender/imbuf/intern/radiance_hdr.c +++ b/source/blender/imbuf/intern/radiance_hdr.c @@ -77,7 +77,7 @@ static const unsigned char *oldreadcolrs(RGBE *scan, scan[0][BLU] = *mem++; scan[0][EXP] = *mem++; if (scan[0][RED] == 1 && scan[0][GRN] == 1 && scan[0][BLU] == 1) { - for (i = scan[0][EXP] << rshift; i > 0; i--) { + for (i = scan[0][EXP] << rshift; i > 0 && len > 0; i--) { COPY_RGBE(scan[-1], scan[0]); scan++; len--; @@ -227,7 +227,7 @@ struct ImBuf *imb_loadhdr(const unsigned char *mem, int found = 0; int width = 0, height = 0; const unsigned char *ptr, *mem_eof = mem + size; - char oriY[80], oriX[80]; + char oriY[3], oriX[3]; if (!imb_is_a_hdr(mem, size)) { return NULL; @@ -244,13 +244,19 @@ struct ImBuf *imb_loadhdr(const unsigned char *mem, } } - if ((found && (x < (size + 2))) == 0) { + if ((found && (x < (size - 1))) == 0) { /* Data not found! */ return NULL; } - if (sscanf((const char *)&mem[x + 1], - "%79s %d %79s %d", + x++; + + /* sscanf requires a null-terminated buffer argument */ + char buf[32] = {0}; + memcpy(buf, &mem[x], MIN2(sizeof(buf) - 1, size - x)); + + if (sscanf(buf, + "%2s %d %2s %d", (char *)&oriY, &height, (char *)&oriX, @@ -258,8 +264,18 @@ struct ImBuf *imb_loadhdr(const unsigned char *mem, return NULL; } + if (width < 1 || height < 1) { + return NULL; + } + + /* Checking that width x height does not extend past mem_eof is not easily possible + * since the format uses RLE compression. Can cause excessive memory allocation to occur. */ + /* find end of this line, data right behind it */ - ptr = (const unsigned char *)strchr((const char *)&mem[x + 1], '\n'); + ptr = (const unsigned char *)strchr((const char *)&mem[x], '\n'); + if (ptr == NULL || ptr >= mem_eof) { + return NULL; + } ptr++; if (flags & IB_test) { -- 2.35.1 ++++++ 0001-Fix-T94629-The-IMB_flip-API-would-fail-with-large-im.patch ++++++ >From 82858ca3f4e6dc6f840af9306c350900abd491fc Mon Sep 17 00:00:00 2001 From: Jesse Yurkovich <jess...@gmail.com> Date: Thu, 6 Jan 2022 21:35:04 -0800 Subject: [PATCH] Fix T94629: The IMB_flip API would fail with large images Fix IMB_flip[xy] to handle cases where integer overflow might occur when given sufficiently large image dimensions. All of these fixes were of a similar class where the intermediate sub-expression would overflow silently. Widen the types as necessary. Differential Revision: https://developer.blender.org/D13744 --- source/blender/imbuf/intern/rotate.c | 62 +++++++++++++++------------- 1 file changed, 34 insertions(+), 28 deletions(-) diff --git a/source/blender/imbuf/intern/rotate.c b/source/blender/imbuf/intern/rotate.c index 83dc29aa107..f02f3e37d6a 100644 --- a/source/blender/imbuf/intern/rotate.c +++ b/source/blender/imbuf/intern/rotate.c @@ -32,7 +32,7 @@ void IMB_flipy(struct ImBuf *ibuf) { - int x, y; + size_t x_size, y_size; if (ibuf == NULL) { return; @@ -41,21 +41,23 @@ void IMB_flipy(struct ImBuf *ibuf) if (ibuf->rect) { unsigned int *top, *bottom, *line; - x = ibuf->x; - y = ibuf->y; + x_size = ibuf->x; + y_size = ibuf->y; + + const size_t stride = x_size * sizeof(int); top = ibuf->rect; - bottom = top + ((y - 1) * x); - line = MEM_mallocN(x * sizeof(int), "linebuf"); + bottom = top + ((y_size - 1) * x_size); + line = MEM_mallocN(stride, "linebuf"); - y >>= 1; + y_size >>= 1; - for (; y > 0; y--) { - memcpy(line, top, x * sizeof(int)); - memcpy(top, bottom, x * sizeof(int)); - memcpy(bottom, line, x * sizeof(int)); - bottom -= x; - top += x; + for (; y_size > 0; y_size--) { + memcpy(line, top, stride); + memcpy(top, bottom, stride); + memcpy(bottom, line, stride); + bottom -= x_size; + top += x_size; } MEM_freeN(line); @@ -64,21 +66,23 @@ void IMB_flipy(struct ImBuf *ibuf) if (ibuf->rect_float) { float *topf = NULL, *bottomf = NULL, *linef = NULL; - x = ibuf->x; - y = ibuf->y; + x_size = ibuf->x; + y_size = ibuf->y; + + const size_t stride = x_size * 4 * sizeof(float); topf = ibuf->rect_float; - bottomf = topf + 4 * ((y - 1) * x); - linef = MEM_mallocN(4 * x * sizeof(float), "linebuf"); + bottomf = topf + 4 * ((y_size - 1) * x_size); + linef = MEM_mallocN(stride, "linebuf"); - y >>= 1; + y_size >>= 1; - for (; y > 0; y--) { - memcpy(linef, topf, 4 * x * sizeof(float)); - memcpy(topf, bottomf, 4 * x * sizeof(float)); - memcpy(bottomf, linef, 4 * x * sizeof(float)); - bottomf -= 4 * x; - topf += 4 * x; + for (; y_size > 0; y_size--) { + memcpy(linef, topf, stride); + memcpy(topf, bottomf, stride); + memcpy(bottomf, linef, stride); + bottomf -= 4 * x_size; + topf += 4 * x_size; } MEM_freeN(linef); @@ -99,20 +103,22 @@ void IMB_flipx(struct ImBuf *ibuf) if (ibuf->rect) { for (yi = y - 1; yi >= 0; yi--) { + const size_t x_offset = (size_t)x * yi; for (xr = x - 1, xl = 0; xr >= xl; xr--, xl++) { - SWAP(unsigned int, ibuf->rect[(x * yi) + xr], ibuf->rect[(x * yi) + xl]); + SWAP(unsigned int, ibuf->rect[x_offset + xr], ibuf->rect[x_offset + xl]); } } } if (ibuf->rect_float) { for (yi = y - 1; yi >= 0; yi--) { + const size_t x_offset = (size_t)x * yi; for (xr = x - 1, xl = 0; xr >= xl; xr--, xl++) { - memcpy(&px_f, &ibuf->rect_float[((x * yi) + xr) * 4], sizeof(float[4])); - memcpy(&ibuf->rect_float[((x * yi) + xr) * 4], - &ibuf->rect_float[((x * yi) + xl) * 4], + memcpy(&px_f, &ibuf->rect_float[(x_offset + xr) * 4], sizeof(float[4])); + memcpy(&ibuf->rect_float[(x_offset + xr) * 4], + &ibuf->rect_float[(x_offset + xl) * 4], sizeof(float[4])); - memcpy(&ibuf->rect_float[((x * yi) + xl) * 4], &px_f, sizeof(float[4])); + memcpy(&ibuf->rect_float[(x_offset + xl) * 4], &px_f, sizeof(float[4])); } } } -- 2.35.1 ++++++ 0001-Fix-T94661-Out-of-bounds-memory-access-due-to-malfor.patch ++++++ >From bbad834f1c2a1f7030ed9741c486b23241e8885e Mon Sep 17 00:00:00 2001 From: Sergey Sharybin <ser...@blender.org> Date: Mon, 10 Jan 2022 14:26:57 +0100 Subject: [PATCH] Fix T94661: Out-of-bounds memory access due to malformed DDS image file Harden bounds check in the stream reader avoiding integer overflow. --- source/blender/imbuf/intern/dds/Stream.cpp | 25 +++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/source/blender/imbuf/intern/dds/Stream.cpp b/source/blender/imbuf/intern/dds/Stream.cpp index 3dab3c35675..31bf2076ed1 100644 --- a/source/blender/imbuf/intern/dds/Stream.cpp +++ b/source/blender/imbuf/intern/dds/Stream.cpp @@ -26,6 +26,21 @@ static const char *msg_error_seek = "DDS: trying to seek beyond end of stream (corrupt file?)"; static const char *msg_error_read = "DDS: trying to read beyond end of stream (corrupt file?)"; +inline bool is_read_within_bounds(const Stream &mem, unsigned int cnt) +{ + if (mem.pos >= mem.size) { + /* No more data remained in the memory buffer. */ + return false; + } + + if (cnt > mem.size - mem.pos) { + /* Reading past the memory bounds. */ + return false; + } + + return true; +} + unsigned int Stream::seek(unsigned int p) { if (p > size) { @@ -40,7 +55,7 @@ unsigned int Stream::seek(unsigned int p) unsigned int mem_read(Stream &mem, unsigned long long &i) { - if (mem.pos + 8 > mem.size) { + if (!is_read_within_bounds(mem, 8)) { mem.set_failed(msg_error_seek); return 0; } @@ -51,7 +66,7 @@ unsigned int mem_read(Stream &mem, unsigned long long &i) unsigned int mem_read(Stream &mem, unsigned int &i) { - if (mem.pos + 4 > mem.size) { + if (!is_read_within_bounds(mem, 4)) { mem.set_failed(msg_error_read); return 0; } @@ -62,7 +77,7 @@ unsigned int mem_read(Stream &mem, unsigned int &i) unsigned int mem_read(Stream &mem, unsigned short &i) { - if (mem.pos + 2 > mem.size) { + if (!is_read_within_bounds(mem, 2)) { mem.set_failed(msg_error_read); return 0; } @@ -73,7 +88,7 @@ unsigned int mem_read(Stream &mem, unsigned short &i) unsigned int mem_read(Stream &mem, unsigned char &i) { - if (mem.pos + 1 > mem.size) { + if (!is_read_within_bounds(mem, 1)) { mem.set_failed(msg_error_read); return 0; } @@ -84,7 +99,7 @@ unsigned int mem_read(Stream &mem, unsigned char &i) unsigned int mem_read(Stream &mem, unsigned char *i, unsigned int cnt) { - if (mem.pos + cnt > mem.size) { + if (!is_read_within_bounds(mem, cnt)) { mem.set_failed(msg_error_read); return 0; } -- 2.35.1
