xcf: deal with bogus data in rle tile decoding.
authorRyan C. Gordon <icculus@icculus.org>
Sat, 27 Jan 2018 17:27:55 -0500
changeset 5607df1580f1695
parent 559 37445f6180a8
child 561 607436eb1473
xcf: deal with bogus data in rle tile decoding.
IMG_xcf.c
     1.1 --- a/IMG_xcf.c	Wed Jan 24 13:12:07 2018 -0500
     1.2 +++ b/IMG_xcf.c	Sat Jan 27 17:27:55 2018 -0500
     1.3 @@ -486,7 +486,7 @@
     1.4    t = load = (unsigned char *) SDL_malloc (len);
     1.5    reallen = SDL_RWread (src, t, 1, len);
     1.6  
     1.7 -  data = (unsigned char *) SDL_malloc (x*y*bpp);
     1.8 +  data = (unsigned char *) SDL_calloc (1, x*y*bpp);
     1.9    for (i = 0; i < bpp; i++) {
    1.10      d    = data + i;
    1.11      size = x*y;
    1.12 @@ -503,6 +503,12 @@
    1.13        t += 2;
    1.14      }
    1.15  
    1.16 +        if (((size_t) (t - load) + length) >= len) {
    1.17 +          break;  /* bogus data */
    1.18 +        } else if (length > size) {
    1.19 +          break;  /* bogus data */
    1.20 +        }
    1.21 +
    1.22      count += length;
    1.23      size -= length;
    1.24  
    1.25 @@ -518,6 +524,12 @@
    1.26        t += 2;
    1.27      }
    1.28  
    1.29 +        if (((size_t) (t - load)) >= len) {
    1.30 +          break;  /* bogus data */
    1.31 +        } else if (length > size) {
    1.32 +          break;  /* bogus data */
    1.33 +        }
    1.34 +
    1.35      count += length;
    1.36      size -= length;
    1.37  
    1.38 @@ -529,6 +541,11 @@
    1.39      }
    1.40        }
    1.41      }
    1.42 +
    1.43 +    if (size > 0) {
    1.44 +      break;  /* just drop out, untouched data initialized to zero. */
    1.45 +    }
    1.46 +
    1.47    }
    1.48  
    1.49    SDL_free (load);