1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
# HG changeset patch
# User Ryan C. Gordon <icculus@icculus.org>
# Date 1517092075 18000
# Node ID 7df1580f1695d327c1c4580dccbf7ca6da5aed9e
# Parent 37445f6180a8ca7a218ab9f9eaaeaf088b4f6c3a
xcf: deal with bogus data in rle tile decoding.
diff -r 37445f6180a8 -r 7df1580f1695 IMG_xcf.c
--- a/IMG_xcf.c Wed Jan 24 13:12:07 2018 -0500
+++ b/IMG_xcf.c Sat Jan 27 17:27:55 2018 -0500
@@ -486,7 +486,7 @@
t = load = (unsigned char *) SDL_malloc (len);
reallen = SDL_RWread (src, t, 1, len);
- data = (unsigned char *) SDL_malloc (x*y*bpp);
+ data = (unsigned char *) SDL_calloc (1, x*y*bpp);
for (i = 0; i < bpp; i++) {
d = data + i;
size = x*y;
@@ -503,6 +503,12 @@
t += 2;
}
+ if (((size_t) (t - load) + length) >= len) {
+ break; /* bogus data */
+ } else if (length > size) {
+ break; /* bogus data */
+ }
+
count += length;
size -= length;
@@ -518,6 +524,12 @@
t += 2;
}
+ if (((size_t) (t - load)) >= len) {
+ break; /* bogus data */
+ } else if (length > size) {
+ break; /* bogus data */
+ }
+
count += length;
size -= length;
@@ -529,6 +541,11 @@
}
}
}
+
+ if (size > 0) {
+ break; /* just drop out, untouched data initialized to zero. */
+ }
+
}
SDL_free (load);
|