XCF: check if there's sufficient data in the stream before allocating

An XCF file could lie about the size of a string it contains. Perform a check if there is enough of data in the stream before trying to allocate the advertised size.
libsdl-org · Sep 28, 2018 · 98e9457 · 98e9457
1 parent b8a008d
commit 98e9457
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/IMG_xcf.c b/IMG_xcf.c
@@ -225,7 +225,8 @@ static char * read_string (SDL_RWops * src) {
   char * data;
 
   tmp = SDL_ReadBE32 (src);
-  if (tmp > 0) {
+  Sint64 remaining = SDL_RWsize(src) - SDL_RWtell(src);
+  if (tmp > 0 && tmp < remaining) {
     data = (char *) SDL_malloc (sizeof (char) * tmp);
     SDL_RWread (src, data, tmp, 1);
   }