GHSA-3w9w-9833-gcpv: 
C# vulnerability analysis and mitigation

A security vulnerability (GHSA-3w9w-9833-gcpv) was discovered in Microsoft's DirectXTex library, specifically affecting the ConvertToSinglePlane method. The vulnerability was disclosed on January 25, 2023, and affects multiple versions of DirectXTex packages including directxtex_desktop_2019, directxtex_desktop_win10, and directxtex_uwp versions prior to 2023.1.31.1. The issue involves a memory overwrite bug that occurs when processing invalid height parameters for planar video textures such as NV12 (GitHub Advisory).

The vulnerability stems from a failure to validate height alignment requirements for input images in the ConvertToSinglePlane method. This oversight can lead to memory overwrite vulnerabilities when untrusted content is passed from the DDS loader directly to this function. The vulnerability has been assigned a CVSS score of 6.1 (Moderate severity) with the following vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L. The attack vector is local, with low attack complexity, requiring no privileges but user interaction (GitHub Advisory).

The vulnerability specifically affects scenarios where the ConvertToSinglePlane method is used in conjunction with multi-planar video formats. While the DDS texture loader itself is not directly impacted, the vulnerability can lead to memory overwrites when processing untrusted content. The CVSS metrics indicate high confidentiality impact and low availability impact, with no integrity impact (GitHub Advisory).

The vulnerability has been patched in the January 31, 2023 release (version 2023.1.31.1) of DirectXTex. The fix includes validation of height alignment requirements and additional hardening for the DDS loader, ComputePitch, and DDSTextureLoader modules. For users unable to update immediately, a workaround is available by implementing validation of width and height alignment requirements for input images before calling the ConvertToSinglePlane function (GitHub PR, GitHub Advisory).