diff -Naur blender-2.68a-original/source/blender/imbuf/intern/radiance_hdr.c blender-2.68a/source/blender/imbuf/intern/radiance_hdr.c
--- blender-2.68a-original/source/blender/imbuf/intern/radiance_hdr.c 2022-05-02 10:29:14.166940116 -0400
+++ blender-2.68a/source/blender/imbuf/intern/radiance_hdr.c 2022-05-02 10:42:26.562134610 -0400
@@ -82,7 +82,7 @@
scan[0][BLU] = *mem++;
scan[0][EXP] = *mem++;
if (scan[0][RED] == 1 && scan[0][GRN] == 1 && scan[0][BLU] == 1) {
- for (i = scan[0][EXP] << rshift; i > 0; i--) {
+ for (i = scan[0][EXP] << rshift; i > 0 && len > 0; i--) {
COPY_RGBE(scan[-1], scan[0]);
scan++;
len--;
@@ -184,8 +184,8 @@
float *rect_float;
int found = 0;
int width = 0, height = 0;
- unsigned char *ptr;
- char oriY[80], oriX[80];
+ unsigned char *ptr, *mem_eof = mem + size;
+ char oriY[3], oriX[3];
if (imb_is_a_hdr((void *)mem)) {
size_t x;
@@ -198,17 +198,35 @@
break;
}
}
- if (found && (x < (size + 2))) {
+ if (found && (x < (size - 1))) {
size_t y;
- if (sscanf((char *)&mem[x + 1], "%79s %d %79s %d", (char *)&oriY, &height,
- (char *)&oriX, &width) != 4)
- {
- return NULL;
+ x++;
+
+ /* sscanf requires a null-terminated buffer argument */
+ {
+ char buf[32] = {0};
+ memcpy(buf, &mem[x], MIN2(sizeof(buf) - 1, size - x));
+
+ if (sscanf((char *)&mem[x + 1], "%2s %d %2s %d", (char *)&oriY, &height,
+ (char *)&oriX, &width) != 4)
+ {
+ return NULL;
+ }
}
+ if (width < 1 || height < 1) {
+ return NULL;
+ }
+
+ /* Checking that width x height does not extend past mem_eof is not easily possible
+ * since the format uses RLE compression. Can cause excessive memory allocation to occur. */
+
/* find end of this line, data right behind it */
- ptr = (unsigned char *)strchr((char *)&mem[x + 1], '\n');
+ ptr = (unsigned char *)strchr((char *)&mem[x], '\n');
+ if (ptr == NULL || ptr >= mem_eof) {
+ return NULL;
+ }
ptr++;
if (flags & IB_test) ibuf = IMB_allocImBuf(width, height, 32, 0);