From 8373c58aa8c66e67e714e7a7caf8bd54ef162eac Mon Sep 17 00:00:00 2001 From: "Ryan C. Gordon" Date: Wed, 26 Sep 2018 14:58:31 -0400 Subject: [PATCH] xcf: Fix potential buffer overflow on corrupt or maliciously-crafted XCF file. --- IMG_xcf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/IMG_xcf.c b/IMG_xcf.c index 3c7ed02d..9df7eb7a 100644 --- a/IMG_xcf.c +++ b/IMG_xcf.c @@ -638,6 +638,9 @@ do_layer_surface(SDL_Surface * surface, SDL_RWops * src, xcf_header * head, xcf_ p16 = (Uint16 *) p8; p = (Uint32 *) p8; for (y = ty; y < ty + oy; y++) { + if ((ty >= surface->h) || ((tx+ox) > surface->w)) { + break; + } row = (Uint32 *) ((Uint8 *) surface->pixels + y * surface->pitch + tx * 4); switch (hierarchy->bpp) { case 4: