griefith/test2
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Fix #135441: integer overflow with large displacement modifier image

Browse Source 
The offset calculation would overflow inside `ibuf_get_color` given the
incoming arguments and image size.

Another similar problem, found from quick inspection, would occur inside
`ibuf_get_color_clip` as well.

Pull Request: https://projects.blender.org/blender/blender/pulls/135476
This commit is contained in:
Jesse Yurkovich
2025-03-05 20:48:47 +01:00
committed by Jesse Yurkovich
parent 23a97dd965
commit 2d915869f7
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
source/blender/render/intern/texture_image.cc
View File

@@ -49,7 +49,7 @@ static void boxsample(ImBuf *ibuf,
/* x and y have to be checked for image size */
static void ibuf_get_color(float col[4], ImBuf *ibuf, int x, int y)
{
int ofs = y * ibuf->x + x;
const int64_t ofs = int64_t(y) * ibuf->x + x;
if (ibuf->float_buffer.data) {
if (ibuf->channels == 4) {
@@ -698,7 +698,7 @@ static int ibuf_get_color_clip(float col[4], ImBuf *ibuf, int x, int y, int extf
}
if (ibuf->float_buffer.data) {
const float *fp = ibuf->float_buffer.data + (x + y * ibuf->x) * ibuf->channels;
const float *fp = ibuf->float_buffer.data + (x + int64_t(y) * ibuf->x) * ibuf->channels;
if (ibuf->channels == 1) {
col[0] = col[1] = col[2] = col[3] = *fp;
}
@@ -710,7 +710,7 @@ static int ibuf_get_color_clip(float col[4], ImBuf *ibuf, int x, int y, int extf
}
}
else {
const uchar *rect = ibuf->byte_buffer.data + 4 * (x + y * ibuf->x);
const uchar *rect = ibuf->byte_buffer.data + 4 * (x + int64_t(y) * ibuf->x);
float inv_alpha_fac = (1.0f / 255.0f) * rect[3] * (1.0f / 255.0f);
col[0] = rect[0] * inv_alpha_fac;
col[1] = rect[1] * inv_alpha_fac;