Page MenuHome
Differential D10357

Fix T71960: Malformed .bmp files lead to crash
ClosedPublic
Actions

Authored by Sergey Sharybin (sergey) on Feb 8 2021, 12:28 PM.

Details

Reviewers
Bastien Montagne (mont29)
Campbell Barton (campbellbarton)
Commits
rB7c864388fc0d: Fix T71960: Malformed .bmp files lead to crash
Summary

Add a boundary check, avoiding access past actual data.

Ideally would need to report error to the user somehow,
but it doesn't seem to be easy to do.

Not sure if it is safe enough for 2.92. It is an old bug,
so might play save and only apply for 2.93?

Diff Detail

Repository
rB Blender
Branch
fix_T71960 (branched from master)
Build Status
Buildable 12720
Build 12720: arc lint + arc unit

Event Timeline

Sergey Sharybin (sergey) requested review of this revision.Feb 8 2021, 12:28 PM
Sergey Sharybin (sergey) created this revision.
Harbormaster completed remote builds in B12715: Diff 33704.Feb 8 2021, 12:28 PM
Bastien Montagne (mont29) added a comment.Feb 8 2021, 3:45 PM

Looks like imb_bmp_calc_row_size_in_bytes makes some hidden assumptions about actual data size (i.e. either 8bits, or 24bits), which should be documented in a comment I think? Or is it common, expected behavior with bmp files? At least it seems to differ from code in imb_bmp_decode itself when setting ibuf_depth?

Otherwise patch LGTM.

Sergey Sharybin (sergey) added a comment.Feb 8 2021, 3:55 PM

Looks like imb_bmp_calc_row_size_in_bytes makes some hidden assumptions about actual data size (i.e. either 8bits, or 24bits), which should be documented in a comment I think? Or is it common, expected behavior with bmp files?

This comes straight from Wikipedia's page about BMP.

One possible improvement/cleanup is to replace const int rowsize = (depth * x + 31) / 32 * 4; with the row_size_in_bytes.

At least it seems to differ from code in imb_bmp_decode itself when setting ibuf_depth

There seems to be a discrepancy between ibuf_depth and depth: the former denotes depth in the ImBuf, the latter one denotes how to access the pixels data, We are interested in the latter one.

Bastien Montagne (mont29) accepted this revision.Feb 8 2021, 4:04 PM

OK, then LGTM. And think this should go into 2.92 yes, we are not yet in BCon4, and fix looks fairly straightforward?

This revision is now accepted and ready to land.Feb 8 2021, 4:04 PM
Sergey Sharybin (sergey) updated this revision to Diff 33716.Feb 8 2021, 4:05 PM

Cleanup: De-duplicate row size calculation

Harbormaster completed remote builds in B12720: Diff 33716.Feb 8 2021, 4:05 PM
Sergey Sharybin (sergey) added a comment.Feb 8 2021, 4:06 PM

@Bastien Montagne (mont29), did the cleanup. Should be no-functional changes. The change is indeed straightforward, but there is always a possibility to make a mistake in simple math. Hence extra eyes!

Jesse Yurkovich (deadpin) added a subscriber: Jesse Yurkovich (deadpin).Feb 8 2021, 10:04 PM

This patch still seems susceptible to various crashes. Attached are 2 more example files[2].

There was another patch[1] attached to the bug where I attempted a more complete fix but it needs updating a bit from recent changes. I can attempt to resurrect and re-test it this week if you like.

[1] D7945
[2] Examples

crash01.bmp130 BDownload

crash00.bmp258 BDownload

Sergey Sharybin (sergey) added a comment.Feb 9 2021, 11:25 AM

There are many missing checks in this patch indeed. You you start fuzzing the input, you'll discover even more.
Main goal was to tighten some nuts, avoiding obvious crashes. Also, keep in mind, if the change becomes too complex, it might be rather risky to put it into the 2.92 branch.

If you can resurrect your change and make it rock-solid please do it, that'd help a lot! I somehow missed the fact that you had a patch already, and there is no real need to duplicate the efforts.

For the time being, shall we go with more localized solution? I kind of feel we should put simpler/smaller patch to 2.92, solving actual user problem, and then put real complete fix from @Jesse Yurkovich (deadpin) into master. How people feel about this?

Bastien Montagne (mont29) added a comment.Feb 9 2021, 11:36 AM
In D10357#260502, @Sergey Sharybin (sergey) wrote:

For the time being, shall we go with more localized solution? I kind of feel we should put simpler/smaller patch to 2.92, solving actual user problem, and then put real complete fix from @Jesse Yurkovich (deadpin) into master. How people feel about this?

Make sense to me, that kind of fix can totally be done incrementally.

Jesse Yurkovich (deadpin) mentioned this in D7945: Fix T71960: Malformed .bmp files lead to crash.Feb 12 2021, 12:53 AM

Not sure if you were waiting for me but your plan makes sense. Checkin your fix for 2.92 and I'll get my patch ready for 2.93 etc.

Closed by commit rB7c864388fc0d: Fix T71960: Malformed .bmp files lead to crash (authored by Sergey Sharybin (sergey)). · Explain WhyFeb 15 2021, 11:21 AM
This revision was automatically updated to reflect the committed changes.
Sergey Sharybin (sergey) added a commit: rB7c864388fc0d: Fix T71960: Malformed .bmp files lead to crash.

Revision Contents
Changeset List

PathSize
source/
blender/
imbuf/
intern/
21 lines

Diff 33716

View Options

source/blender/imbuf/intern/bmp.c

Loading...