MC-239593Native image methods might perform integer overflow/invalid memory read
Several methods in NativeImage (dpm in proguard map for 1.17.1) may perform integer overflow when calculating pointer offsets. This will cause memory corruption (and potentially exploitable crash in the client). All names are for Yarn, 1.17.1.
For example, NativeImage.getOpacity is defined as:
public byte getOpacity(int x, int y) { if (!this.format.hasOpacityChannel()) throw new IllegalArgumentException(String.format("no luminance or alpha in %s", new Object[] { this.format })); if (isOutOfBounds(x, y)) throw new IllegalArgumentException(String.format("(%s, %s) outside of image bounds (%s, %s)", new Object[] { Integer.valueOf(x), Integer.valueOf(y), Integer.valueOf(this.width), Integer.valueOf(this.height) })); int k = (x + y * this.width) * this.format.getChannelCount() + this.format.getOpacityChannelOffset() / 8; return MemoryUtil.memGetByte(this.pointer + k);
Notice that the variable k is of type int. If the image size is bigger than around 23171x23171 (for PNG from what I can tell), and the x/y position is sufficiently large, the value will pass the isOutOfBounds check but will overflow the integer max value limit when calculating k. This will cause invalid memory read in the next line.
This method, NativeImage.getOpacity is interesting because it can be called by loading a resource pack that includes bitmap fonts. If such font files are big enough, loading it will crash the game.
This issue is marked as private out of abundance of caution, since memory-related bugs often cause code execution issues. Note that for the exploitation, a large amount of RAM would be required to load such a big image file.
