From 4e006adf42593e8b0fd34b99f6f7b0b66f1e64f5 Mon Sep 17 00:00:00 2001
From: "Ryan C. Gordon" <icculus@icculus.org>
Date: Wed, 7 Feb 2018 16:18:54 -0500
Subject: [PATCH] xcf: Prevent infinite loop and/or buffer overflow on bogus
 data.

---
 IMG_xcf.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/IMG_xcf.c b/IMG_xcf.c
index 45b00327..1fd15236 100755
--- a/IMG_xcf.c
+++ b/IMG_xcf.c
@@ -483,6 +483,10 @@ static unsigned char * load_xcf_tile_rle (SDL_RWops * src, Uint32 len, int bpp,
   int i, size, count, j, length;
   unsigned char val;
 
+  if (len == 0) {  /* probably bogus data. */
+    return NULL;
+  }
+
   t = load = (unsigned char *) SDL_malloc (len);
   reallen = SDL_RWread (src, t, 1, len);
 
@@ -608,6 +612,16 @@ do_layer_surface(SDL_Surface * surface, SDL_RWops * src, xcf_header * head, xcf_
                 tile = load_tile(src, ox * oy * 6, hierarchy->bpp, ox, oy);
             }
 
+            if (!tile) {
+                if (hierarchy) {
+                    free_xcf_hierarchy(hierarchy);
+                }
+                if (level) {
+                    free_xcf_level(level);
+                }
+                return 1;
+            }
+
             p8 = tile;
             p16 = (Uint16 *) p8;
             p = (Uint32 *) p8;