Fix plain texture pixel size overflow#5044
Open
HeresHavi wants to merge 1 commit into
Open
Conversation
Validate plain-pixel buffer dimensions using 64-bit arithmetic so large dimensions cannot wrap to an undersized accepted buffer and cause an out-of-bounds read in dxSetTexturePixels.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Changed the plain-pixel size check in
CPixelsManager::GetPlainDimensionsto use 64-bit arithmetic.Large width and height values can no longer wrap into a smaller buffer size and pass validation.
Motivation
The expected plain-pixel size was calculated using 32-bit arithmetic. Dimensions of
32768 × 32769require a little over 4 GiB, but the calculation wrapped to only131076bytes.The undersized buffer was then accepted by
dxSetTexturePixels. Its claimed width produced a source row pitch of131072bytes, causing later rows to be read beyond the supplied Lua string.For example, a client resource might generate pixel data for a texture effect. If its width or height metadata becomes corrupted or is calculated incorrectly, the old validation could accept the buffer and crash the player's client during the copy.
Crash Stack
Test plan
Runtime
64 × 64plain-pixel buffer containing16388bytes returnedtruebefore and after the fix.131076-byte buffer claiming dimensions of32768 × 32769caused an access violation inCPixelsManager::SetSurfacePixels.false, and the client stayed open.Builds and Tests
Debug | Win32: Full rebuild passed.Release | Win32: Full rebuild passed.Debug | x64: Full rebuild passed.Release | x64: Full rebuild passed.clang-format.Checklist