xcf: Prevent infinite loop and/or buffer overflow on bogus data.
authorRyan C. Gordon <icculus@icculus.org>
Wed, 07 Feb 2018 16:18:54 -0500
changeset 568c5f9cbb5d2bb
parent 567 2938fc80591a
child 569 fb643e371806
xcf: Prevent infinite loop and/or buffer overflow on bogus data.
IMG_xcf.c
     1.1 --- a/IMG_xcf.c	Wed Feb 07 15:43:51 2018 -0500
     1.2 +++ b/IMG_xcf.c	Wed Feb 07 16:18:54 2018 -0500
     1.3 @@ -483,6 +483,10 @@
     1.4    int i, size, count, j, length;
     1.5    unsigned char val;
     1.6  
     1.7 +  if (len == 0) {  /* probably bogus data. */
     1.8 +    return NULL;
     1.9 +  }
    1.10 +
    1.11    t = load = (unsigned char *) SDL_malloc (len);
    1.12    reallen = SDL_RWread (src, t, 1, len);
    1.13  
    1.14 @@ -608,6 +612,16 @@
    1.15                  tile = load_tile(src, ox * oy * 6, hierarchy->bpp, ox, oy);
    1.16              }
    1.17  
    1.18 +            if (!tile) {
    1.19 +                if (hierarchy) {
    1.20 +                    free_xcf_hierarchy(hierarchy);
    1.21 +                }
    1.22 +                if (level) {
    1.23 +                    free_xcf_level(level);
    1.24 +                }
    1.25 +                return 1;
    1.26 +            }
    1.27 +
    1.28              p8 = tile;
    1.29              p16 = (Uint16 *) p8;
    1.30              p = (Uint32 *) p8;