diff -Naur blender-2.68a-original/source/blender/imbuf/intern/radiance_hdr.c blender-2.68a/source/blender/imbuf/intern/radiance_hdr.c --- blender-2.68a-original/source/blender/imbuf/intern/radiance_hdr.c 2022-05-02 10:29:14.166940116 -0400 +++ blender-2.68a/source/blender/imbuf/intern/radiance_hdr.c 2022-05-02 10:42:26.562134610 -0400 @@ -82,7 +82,7 @@ scan[0][BLU] = *mem++; scan[0][EXP] = *mem++; if (scan[0][RED] == 1 && scan[0][GRN] == 1 && scan[0][BLU] == 1) { - for (i = scan[0][EXP] << rshift; i > 0; i--) { + for (i = scan[0][EXP] << rshift; i > 0 && len > 0; i--) { COPY_RGBE(scan[-1], scan[0]); scan++; len--; @@ -184,8 +184,8 @@ float *rect_float; int found = 0; int width = 0, height = 0; - unsigned char *ptr; - char oriY[80], oriX[80]; + unsigned char *ptr, *mem_eof = mem + size; + char oriY[3], oriX[3]; if (imb_is_a_hdr((void *)mem)) { size_t x; @@ -198,17 +198,35 @@ break; } } - if (found && (x < (size + 2))) { + if (found && (x < (size - 1))) { size_t y; - if (sscanf((char *)&mem[x + 1], "%79s %d %79s %d", (char *)&oriY, &height, - (char *)&oriX, &width) != 4) - { - return NULL; + x++; + + /* sscanf requires a null-terminated buffer argument */ + { + char buf[32] = {0}; + memcpy(buf, &mem[x], MIN2(sizeof(buf) - 1, size - x)); + + if (sscanf((char *)&mem[x + 1], "%2s %d %2s %d", (char *)&oriY, &height, + (char *)&oriX, &width) != 4) + { + return NULL; + } } + if (width < 1 || height < 1) { + return NULL; + } + + /* Checking that width x height does not extend past mem_eof is not easily possible + * since the format uses RLE compression. Can cause excessive memory allocation to occur. */ + /* find end of this line, data right behind it */ - ptr = (unsigned char *)strchr((char *)&mem[x + 1], '\n'); + ptr = (unsigned char *)strchr((char *)&mem[x], '\n'); + if (ptr == NULL || ptr >= mem_eof) { + return NULL; + } ptr++; if (flags & IB_test) ibuf = IMB_allocImBuf(width, height, 32, 0);