[Commits] SDL_image: xcf: deal with bogus data in rle tile decoding.

libsdl.org revision control commits-owner at libsdl.org
Sat Jan 27 14:31:27 PST 2018


details:   https://hg.libsdl.org/SDL_image/rev/7df1580f1695
changeset: 560:7df1580f1695
user:      Ryan C. Gordon <icculus at icculus.org>
date:      Sat Jan 27 17:27:55 2018 -0500
description:
xcf: deal with bogus data in rle tile decoding.

diffstat:

 IMG_xcf.c |  19 ++++++++++++++++++-
 1 files changed, 18 insertions(+), 1 deletions(-)

diffs (50 lines):

diff -r 37445f6180a8 -r 7df1580f1695 IMG_xcf.c
--- a/IMG_xcf.c	Wed Jan 24 13:12:07 2018 -0500
+++ b/IMG_xcf.c	Sat Jan 27 17:27:55 2018 -0500
@@ -486,7 +486,7 @@
   t = load = (unsigned char *) SDL_malloc (len);
   reallen = SDL_RWread (src, t, 1, len);
 
-  data = (unsigned char *) SDL_malloc (x*y*bpp);
+  data = (unsigned char *) SDL_calloc (1, x*y*bpp);
   for (i = 0; i < bpp; i++) {
     d    = data + i;
     size = x*y;
@@ -503,6 +503,12 @@
       t += 2;
     }
 
+        if (((size_t) (t - load) + length) >= len) {
+          break;  /* bogus data */
+        } else if (length > size) {
+          break;  /* bogus data */
+        }
+
     count += length;
     size -= length;
 
@@ -518,6 +524,12 @@
       t += 2;
     }
 
+        if (((size_t) (t - load)) >= len) {
+          break;  /* bogus data */
+        } else if (length > size) {
+          break;  /* bogus data */
+        }
+
     count += length;
     size -= length;
 
@@ -529,6 +541,11 @@
     }
       }
     }
+
+    if (size > 0) {
+      break;  /* just drop out, untouched data initialized to zero. */
+    }
+
   }
 
   SDL_free (load);


More information about the commits mailing list