From f58ca9b0558c78be2164b2f431bc84011330abd3 Mon Sep 17 00:00:00 2001 From: Stefan Werner Date: Thu, 30 Oct 2025 10:32:59 +0100 Subject: [PATCH 1/5] Added size limit check for buffer stride --- kernels/common/rtcore.cpp | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/kernels/common/rtcore.cpp b/kernels/common/rtcore.cpp index 34306436e5..5f8ec82c7e 100644 --- a/kernels/common/rtcore.cpp +++ b/kernels/common/rtcore.cpp @@ -1857,6 +1857,9 @@ RTC_API void rtcSetGeometryTransform(RTCGeometry hgeometry, unsigned int timeSte if (itemCount > 0xFFFFFFFFu) throw_RTCError(RTC_ERROR_INVALID_ARGUMENT,"buffer too large"); + if (byteStride > 0xFFFFFFFFu) + throw_RTCError(RTC_ERROR_INVALID_ARGUMENT,"stride too large"); + geometry->setBuffer(type, slot, format, buffer, byteOffset, byteStride, (unsigned int)itemCount); RTC_CATCH_END2(geometry); } @@ -1871,6 +1874,9 @@ RTC_API void rtcSetGeometryTransform(RTCGeometry hgeometry, unsigned int timeSte if (itemCount > 0xFFFFFFFFu) throw_RTCError(RTC_ERROR_INVALID_ARGUMENT,"buffer too large"); + if (byteStride > 0xFFFFFFFFu) + throw_RTCError(RTC_ERROR_INVALID_ARGUMENT,"stride too large"); + Ref buffer = new Buffer(geometry->device, itemCount*byteStride, (char*)ptr + byteOffset); geometry->setBuffer(type, slot, format, buffer, 0, byteStride, (unsigned int)itemCount); RTC_CATCH_END2(geometry); @@ -1889,6 +1895,9 @@ RTC_API void rtcSetGeometryTransform(RTCGeometry hgeometry, unsigned int timeSte if (itemCount > 0xFFFFFFFFu) throw_RTCError(RTC_ERROR_INVALID_ARGUMENT,"buffer too large"); + if (byteStride > 0xFFFFFFFFu) + throw_RTCError(RTC_ERROR_INVALID_ARGUMENT,"stride too large"); + if ((ptr == nullptr) || (dptr == nullptr)) throw_RTCError(RTC_ERROR_INVALID_ARGUMENT,"host and device pointer may not be NULL pointers when using SYCL devices"); @@ -1916,6 +1925,9 @@ RTC_API void rtcSetGeometryTransform(RTCGeometry hgeometry, unsigned int timeSte if (itemCount > 0xFFFFFFFFu) throw_RTCError(RTC_ERROR_INVALID_ARGUMENT,"buffer too large"); + if (byteStride > 0xFFFFFFFFu) + throw_RTCError(RTC_ERROR_INVALID_ARGUMENT,"stride too large"); + /* vertex buffers need to get overallocated slightly as elements are accessed using SSE loads */ size_t bytes = itemCount*byteStride; if (type == RTC_BUFFER_TYPE_VERTEX || type == RTC_BUFFER_TYPE_VERTEX_ATTRIBUTE) @@ -1941,6 +1953,9 @@ RTC_API void rtcSetGeometryTransform(RTCGeometry hgeometry, unsigned int timeSte if (itemCount > 0xFFFFFFFFu) throw_RTCError(RTC_ERROR_INVALID_ARGUMENT,"buffer too large"); + if (byteStride > 0xFFFFFFFFu) + throw_RTCError(RTC_ERROR_INVALID_ARGUMENT,"stride too large"); + /* vertex buffers need to get overallocated slightly as elements are accessed using SSE loads */ size_t bytes = itemCount*byteStride; if (bufferType == RTC_BUFFER_TYPE_VERTEX || bufferType == RTC_BUFFER_TYPE_VERTEX_ATTRIBUTE) From f2698692265651c0adf5872780b38a82f1e2d045 Mon Sep 17 00:00:00 2001 From: Stefan Werner Date: Mon, 3 Nov 2025 14:03:41 +0100 Subject: [PATCH 2/5] More size checks for buffers --- kernels/common/buffer.h | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/kernels/common/buffer.h b/kernels/common/buffer.h index 2306757f29..9d1766875e 100644 --- a/kernels/common/buffer.h +++ b/kernels/common/buffer.h @@ -248,7 +248,16 @@ namespace embree /*! sets the buffer view */ void set(const Ref& buffer_in, size_t offset_in, size_t stride_in, size_t num_in, RTCFormat format_in) { - if ((offset_in + stride_in * num_in) > (stride_in * buffer_in->numBytes)) + if (stride_in > 0xFFFFFFFFu) + throw_RTCError(RTC_ERROR_INVALID_ARGUMENT,"stride too large"); + + if (num_in > 0xFFFFFFFFu) + throw_RTCError(RTC_ERROR_INVALID_ARGUMENT,"item count too large"); + + if (offset_in >= buffer_in->numBytes) + throw_RTCError(RTC_ERROR_INVALID_ARGUMENT, "offset too large"); + + if (stride_in * num_in > buffer_in->numBytes - offset_in) throw_RTCError(RTC_ERROR_INVALID_ARGUMENT, "buffer range out of bounds"); ptr_ofs = buffer_in->getHostPtr() + offset_in; From 009434065bead8841938afbf208994c329a7ecb5 Mon Sep 17 00:00:00 2001 From: Stefan Werner Date: Mon, 3 Nov 2025 15:55:40 +0100 Subject: [PATCH 3/5] Fixed bounds checks to allow 0 offset, 0 buffer size --- kernels/common/buffer.h | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/kernels/common/buffer.h b/kernels/common/buffer.h index 9d1766875e..c2cfee6c5e 100644 --- a/kernels/common/buffer.h +++ b/kernels/common/buffer.h @@ -248,17 +248,21 @@ namespace embree /*! sets the buffer view */ void set(const Ref& buffer_in, size_t offset_in, size_t stride_in, size_t num_in, RTCFormat format_in) { - if (stride_in > 0xFFFFFFFFu) + if (stride_in > 0xFFFFFFFFu) { throw_RTCError(RTC_ERROR_INVALID_ARGUMENT,"stride too large"); + } - if (num_in > 0xFFFFFFFFu) + if (num_in > 0xFFFFFFFFu) { throw_RTCError(RTC_ERROR_INVALID_ARGUMENT,"item count too large"); + } - if (offset_in >= buffer_in->numBytes) + if (offset_in > 0 && offset_in >= buffer_in->numBytes) { throw_RTCError(RTC_ERROR_INVALID_ARGUMENT, "offset too large"); + } - if (stride_in * num_in > buffer_in->numBytes - offset_in) + if (stride_in * num_in > buffer_in->numBytes - offset_in) { throw_RTCError(RTC_ERROR_INVALID_ARGUMENT, "buffer range out of bounds"); + } ptr_ofs = buffer_in->getHostPtr() + offset_in; dptr_ofs = buffer_in->getDevicePtr() + offset_in; From d07c1d065563092d81482698721876065f4f0f0e Mon Sep 17 00:00:00 2001 From: Stefan Werner Date: Wed, 12 Nov 2025 16:37:06 +0100 Subject: [PATCH 4/5] Added bounds check for grid dimensions --- kernels/common/scene_grid_mesh.cpp | 12 +++++++++++- kernels/common/scene_grid_mesh.h | 5 +++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/kernels/common/scene_grid_mesh.cpp b/kernels/common/scene_grid_mesh.cpp index 0eba9aec0c..6356e56b8f 100644 --- a/kernels/common/scene_grid_mesh.cpp +++ b/kernels/common/scene_grid_mesh.cpp @@ -142,7 +142,17 @@ namespace embree throw_RTCError(RTC_ERROR_INVALID_OPERATION,"stride of vertex buffers have to be identical for each time step"); if (vertices[t]) vertices[t].buffer->commitIfNeeded(); } - if (grids) grids.buffer->commitIfNeeded(); + if (grids) { + /* Verify that grid sizes are in bounds */ + for (size_t primID=0; primID maxGridRes || g.resY > maxGridRes) { + throw_RTCError(RTC_ERROR_INVALID_ARGUMENT, "grid dimensions are too big"); + } + + } + grids.buffer->commitIfNeeded(); + } #if defined(EMBREE_SYCL_SUPPORT) /* build quadID_to_primID_xy mapping when hardware ray tracing is supported */ diff --git a/kernels/common/scene_grid_mesh.h b/kernels/common/scene_grid_mesh.h index c4fbab8930..a209c27812 100644 --- a/kernels/common/scene_grid_mesh.h +++ b/kernels/common/scene_grid_mesh.h @@ -11,6 +11,7 @@ namespace embree /*! Grid Mesh */ struct GridMesh : public Geometry { + static constexpr unsigned short maxGridRes = 32768; /*! type of this geometry */ static const Geometry::GTypeMask geom_type = Geometry::MTY_GRID_MESH; @@ -154,12 +155,16 @@ namespace embree __forceinline unsigned int getNumQuads(const size_t gridID) const { const Grid& g = grid(gridID); + assert(g.resX > maxGridRes); + assert(g.resY > maxGridRes); return (unsigned int) max((int)1,((int)g.resX-1) * ((int)g.resY-1)); } __forceinline unsigned int getNumSubGrids(const size_t gridID) const { const Grid& g = grid(gridID); + assert(g.resX > maxGridRes); + assert(g.resY > maxGridRes); return max((unsigned int)1,((unsigned int)g.resX >> 1) * ((unsigned int)g.resY >> 1)); } From 8eaa7080973aa70e27120a2c5f871f81d3d26414 Mon Sep 17 00:00:00 2001 From: Stefan Werner Date: Fri, 21 Nov 2025 14:27:36 +0100 Subject: [PATCH 5/5] Fixed asserts, simplified bounds check --- kernels/common/buffer.h | 2 +- kernels/common/scene_grid_mesh.h | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/kernels/common/buffer.h b/kernels/common/buffer.h index c2cfee6c5e..984ed43ddd 100644 --- a/kernels/common/buffer.h +++ b/kernels/common/buffer.h @@ -256,7 +256,7 @@ namespace embree throw_RTCError(RTC_ERROR_INVALID_ARGUMENT,"item count too large"); } - if (offset_in > 0 && offset_in >= buffer_in->numBytes) { + if (offset_in > buffer_in->numBytes) { throw_RTCError(RTC_ERROR_INVALID_ARGUMENT, "offset too large"); } diff --git a/kernels/common/scene_grid_mesh.h b/kernels/common/scene_grid_mesh.h index a209c27812..cd374912f5 100644 --- a/kernels/common/scene_grid_mesh.h +++ b/kernels/common/scene_grid_mesh.h @@ -155,16 +155,16 @@ namespace embree __forceinline unsigned int getNumQuads(const size_t gridID) const { const Grid& g = grid(gridID); - assert(g.resX > maxGridRes); - assert(g.resY > maxGridRes); + assert(g.resX <= maxGridRes); + assert(g.resY <= maxGridRes); return (unsigned int) max((int)1,((int)g.resX-1) * ((int)g.resY-1)); } __forceinline unsigned int getNumSubGrids(const size_t gridID) const { const Grid& g = grid(gridID); - assert(g.resX > maxGridRes); - assert(g.resY > maxGridRes); + assert(g.resX <= maxGridRes); + assert(g.resY <= maxGridRes); return max((unsigned int)1,((unsigned int)g.resX >> 1) * ((unsigned int)g.resY >> 1)); }