raylib-poc/repro_gputex.c at master · segv0x/raylib-poc · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
/*
 * repro_gputex.c - Standalone reproducer for rltexgpu.h vulnerabilities
 *
 * Demonstrates heap buffer overflow and division by zero in raylib's
 * GPU texture parsers (DDS, PKM, KTX, PVR, ASTC).
 *
 * Requires rltexgpu.h from raylib source (src/external/rltexgpu.h).
 *
 * Build:
 *   clang -g -O1 -fsanitize=address,undefined \
 *     -I <raylib>/src/external repro_gputex.c -o repro_gputex
 *
 * Usage:
 *   ./repro_gputex <crash_file>
 */

#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>
#include <string.h>

#define RLTEXGPU_SUPPORT_DDS
#define RLTEXGPU_SUPPORT_PKM
#define RLTEXGPU_SUPPORT_KTX
#define RLTEXGPU_SUPPORT_PVR
#define RLTEXGPU_SUPPORT_ASTC

/* Stub for rl_save_ktx dependency */
static void rlGetGlTextureFormats(int format, unsigned int *glInternalFormat,
                                   unsigned int *glFormat, unsigned int *glType)
{
    (void)format; (void)glInternalFormat; (void)glFormat; (void)glType;
}

#define RLTEXGPU_IMPLEMENTATION
#include "rltexgpu.h"

int main(int argc, char *argv[])
{
    if (argc < 2) {
        fprintf(stderr, "Usage: %s <crash_file>\n", argv[0]);
        return 1;
    }

    FILE *f = fopen(argv[1], "rb");
    if (!f) { perror("fopen"); return 1; }
    fseek(f, 0, SEEK_END);
    long file_size = ftell(f);
    fseek(f, 0, SEEK_SET);

    unsigned char *buf = (unsigned char *)malloc(file_size);
    if (!buf) { fclose(f); return 1; }
    fread(buf, 1, file_size, f);
    fclose(f);

    int w = 0, h = 0, fmt = 0, mips = 0;
    void *data = NULL;

    /* Route by magic bytes */
    if (file_size >= 4) {
        if (buf[0] == 'D' && buf[1] == 'D')
            data = rl_load_dds_from_memory(buf, (unsigned int)file_size, &w, &h, &fmt, &mips);
        else if (buf[0] == 'P' && buf[1] == 'K')
            data = rl_load_pkm_from_memory(buf, (unsigned int)file_size, &w, &h, &fmt, &mips);
        else if (buf[0] == 0xAB && buf[1] == 'K')
            data = rl_load_ktx_from_memory(buf, (unsigned int)file_size, &w, &h, &fmt, &mips);
        else if (buf[0] == 'P' && buf[1] == 'V')
            data = rl_load_pvr_from_memory(buf, (unsigned int)file_size, &w, &h, &fmt, &mips);
        else if (buf[0] == 0x13 && buf[1] == 0xAB)
            data = rl_load_astc_from_memory(buf, (unsigned int)file_size, &w, &h, &fmt, &mips);
    }

    printf("Result: data=%p w=%d h=%d fmt=%d mips=%d\n", data, w, h, fmt, mips);
    free(data);
    free(buf);
    return 0;
}