Skip to content

fix(dds): clamp pixel memcpy to sizeof(uint32_t) to prevent stack overflow#5287

Merged
lgritz merged 1 commit into
AcademySoftwareFoundation:mainfrom
lgritz:lg-dds-clamp
Jul 2, 2026
Merged

fix(dds): clamp pixel memcpy to sizeof(uint32_t) to prevent stack overflow#5287
lgritz merged 1 commit into
AcademySoftwareFoundation:mainfrom
lgritz:lg-dds-clamp

Conversation

@lgritz

@lgritz lgritz commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

The mask-based uncompressed decode path copies m_Bpp bytes into a uint32_t pixel variable. m_Bpp is validated up to 16 (for 128-bit DXGI formats), but the legacy fmt.masks[] are uint32_t and can only address 32 bits. A corrupt file with m_Bpp > 4 caused a stack-buffer-overflow. Clamp the copy to sizeof(pixel) = 4 bytes, which is all the masks can reference anyway.

Assisted-by: Claude Code / claude-sonnet-4-6

…rflow

The mask-based uncompressed decode path copies m_Bpp bytes into a
uint32_t pixel variable. m_Bpp is validated up to 16 (for 128-bit DXGI
formats), but the legacy fmt.masks[] are uint32_t and can only address
32 bits. A corrupt file with m_Bpp > 4 caused a stack-buffer-overflow.
Clamp the copy to sizeof(pixel) = 4 bytes, which is all the masks can
reference anyway.

Assisted-by: Claude Code / claude-sonnet-4-6

Signed-off-by: Larry Gritz <lg@larrygritz.com>
@lgritz lgritz merged commit d11941e into AcademySoftwareFoundation:main Jul 2, 2026
27 checks passed
@lgritz lgritz deleted the lg-dds-clamp branch July 2, 2026 20:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants