DDS: fix buffer overflow in readCubeMap

The issue was identified by OSS Fuzz and the feature was not covered by our tests. - Added earth-cubemap.dds under MIT licenses taken from [Open Toolkit library](https://github.com/mono/opentk/tree/main/Source/Examples/Data/Textures) - Fix a wrong image size returned by a cubemap image - Read test skips .license files
2025-05-28 00:30:23 -04:00 · 2024-12-12 09:42:24 +00:00 · 2024-12-12 09:42:24 +00:00 · ecbcf3b7f4
commit ecbcf3b7f4
parent 87eff569a4
7 changed files with 29 additions and 4 deletions
--- a/autotests/read/dds/earth-cubemap.dds
+++ b/autotests/read/dds/earth-cubemap.dds
--- a/autotests/read/dds/earth-cubemap.license
+++ b/autotests/read/dds/earth-cubemap.license
@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: Copyright (c) 2006 - 2010 The Open Toolkit library.
+SPDX-License-Identifier: MIT
--- a/autotests/read/dds/earth-cubemap.png
+++ b/autotests/read/dds/earth-cubemap.png
--- a/autotests/readtest.cpp
+++ b/autotests/readtest.cpp
@ -263,7 +263,7 @@ int main(int argc, char **argv)
        }
        for (const QFileInfo &fi : lstImgDir) {
            TemplateImage timg(fi);
-            if (timg.isTemplate()) {
+            if (timg.isTemplate() || timg.isLicense()) {
                continue;
            }

--- a/autotests/templateimage.cpp
+++ b/autotests/templateimage.cpp
@ -28,6 +28,11 @@ bool TemplateImage::isTemplate() const
    return false;
 }

+bool TemplateImage::isLicense() const
+{
+    return !m_fi.suffix().compare(QStringLiteral("license"), Qt::CaseInsensitive);
+}
+
 QFileInfo TemplateImage::compareImage(TestFlags &flags, QString& comment) const
 {
    auto fi = jsonImage(flags, comment);
--- a/autotests/templateimage.h
+++ b/autotests/templateimage.h
@ -47,6 +47,12 @@ public:
     */
    bool isTemplate() const;

+    /*!
+     * \brief isLicense
+     * \return True if the file suffix is .license
+     */
+    bool isLicense() const;
+
    /*!
     * \brief compareImage
     * \param flags Flags for modifying test behavior (e.g. image format not supported by current Qt version).
--- a/src/imageformats/dds.cpp
+++ b/src/imageformats/dds.cpp
@ -403,6 +403,11 @@ QDataStream &operator<<(QDataStream &s, const DDSHeaderDX10 &header)
    return s;
 }

+inline qsizetype ptrDiff(const void *end, const void *start)
+{
+    return qsizetype(reinterpret_cast<const char*>(end) - reinterpret_cast<const char*>(start));
+}
+
 static inline int maskToShift(quint32 mask)
 {
    if (mask == 0)
@ -1633,9 +1638,16 @@ static QImage readCubeMap(QDataStream &s, const DDSHeader &dds, const int fmt)

        // Copy face on the image.
        for (quint32 y = 0; y < dds.height; y++) {
-            const QRgb *src = reinterpret_cast<const QRgb *>(face.scanLine(y));
+            if (y + offset_y >= quint32(image.height())) {
+                return {};
+            }
+            const QRgb *src = reinterpret_cast<const QRgb *>(face.constScanLine(y));
            QRgb *dst = reinterpret_cast<QRgb *>(image.scanLine(y + offset_y)) + offset_x;
-            memcpy(dst, src, sizeof(QRgb) * dds.width);
+            qsizetype sz = sizeof(QRgb) * dds.width;
+            if (ptrDiff(face.bits() + face.sizeInBytes(), src) < sz || ptrDiff(image.bits() + image.sizeInBytes(), dst) < sz) {
+                return {};
+            }
+            memcpy(dst, src, sz);
        }
    }

@ -1777,7 +1789,7 @@ QVariant QDDSHandler::option(QImageIOHandler::ImageOption option) const

    switch (option) {
    case QImageIOHandler::Size:
-        return QSize(m_header.width, m_header.height);
+        return isCubeMap(m_header) ? QSize(m_header.width * 4, m_header.height * 3) : QSize(m_header.width, m_header.height);
    case QImageIOHandler::SubType:
        return formatName(m_format);
    case QImageIOHandler::SupportedSubTypes: