Impact
The DDS codec did not properly guard against width/height combinations that could overflow a 32-bit unsigned integer byte count when computing image size.
Patches
In the August 5, 2018 version when support for 16k textures was added, this issue was fixed as a side-effect.
Workarounds
The changes in this commit could be pulled back to your version.
Notes
This issue does not impact DDSTextureLoader or WICTextureLoader because those used maximum bounds based on the Direct3D hardware limitations that generally prevents this overflow. DirectXTex was allowed to handle larger files to provide support for resizing them down to supported limitations.
For additional hardening of the DirectXTex library, the August 15, 2020 release includes this commit to default to applying the same limitations as DDSTextureLoader for size unless the DDS_FLAGS_ALLOW_LARGE_FILES flag is provided (i.e. opt-in support for tools).
References
Applies to both CVE-2020-16856 and CVE-2020-16874.
Impact
The DDS codec did not properly guard against width/height combinations that could overflow a 32-bit unsigned integer byte count when computing image size.
Patches
In the August 5, 2018 version when support for 16k textures was added, this issue was fixed as a side-effect.
Workarounds
The changes in this commit could be pulled back to your version.
Notes
This issue does not impact
DDSTextureLoaderorWICTextureLoaderbecause those used maximum bounds based on the Direct3D hardware limitations that generally prevents this overflow. DirectXTex was allowed to handle larger files to provide support for resizing them down to supported limitations.For additional hardening of the DirectXTex library, the August 15, 2020 release includes this commit to default to applying the same limitations as
DDSTextureLoaderfor size unless theDDS_FLAGS_ALLOW_LARGE_FILESflag is provided (i.e. opt-in support for tools).References
Applies to both CVE-2020-16856 and CVE-2020-16874.