# HG changeset patch
# User Ryan C. Gordon <icculus@icculus.org>
# Date 1517092075 18000
# Node ID 7df1580f1695d327c1c4580dccbf7ca6da5aed9e
# Parent  37445f6180a8ca7a218ab9f9eaaeaf088b4f6c3a
xcf: deal with bogus data in rle tile decoding.

diff -r 37445f6180a8 -r 7df1580f1695 IMG_xcf.c
--- a/IMG_xcf.c	Wed Jan 24 13:12:07 2018 -0500
+++ b/IMG_xcf.c	Sat Jan 27 17:27:55 2018 -0500
@@ -486,7 +486,7 @@
   t = load = (unsigned char *) SDL_malloc (len);
   reallen = SDL_RWread (src, t, 1, len);
 
-  data = (unsigned char *) SDL_malloc (x*y*bpp);
+  data = (unsigned char *) SDL_calloc (1, x*y*bpp);
   for (i = 0; i < bpp; i++) {
     d    = data + i;
     size = x*y;
@@ -503,6 +503,12 @@
       t += 2;
     }
 
+        if (((size_t) (t - load) + length) >= len) {
+          break;  /* bogus data */
+        } else if (length > size) {
+          break;  /* bogus data */
+        }
+
     count += length;
     size -= length;
 
@@ -518,6 +524,12 @@
       t += 2;
     }
 
+        if (((size_t) (t - load)) >= len) {
+          break;  /* bogus data */
+        } else if (length > size) {
+          break;  /* bogus data */
+        }
+
     count += length;
     size -= length;
 
@@ -529,6 +541,11 @@
     }
       }
     }
+
+    if (size > 0) {
+      break;  /* just drop out, untouched data initialized to zero. */
+    }
+
   }
 
   SDL_free (load);