1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
|
Description: xcf: Prevent infinite loop and/or buffer overflow on bogus data.
Origin: upstream, https://hg.libsdl.org/SDL_image/rev/c5f9cbb5d2bb
--- a/IMG_xcf.c
+++ b/IMG_xcf.c
@@ -466,6 +466,10 @@ static unsigned char * load_xcf_tile_rle (SDL_RWops * src, Uint32 len, int bpp,
int i, size, count, j, length;
unsigned char val;
+ if (len == 0) { /* probably bogus data. */
+ return NULL;
+ }
+
t = load = (unsigned char *) malloc (len);
reallen = SDL_RWread (src, t, 1, len);
@@ -581,6 +585,16 @@ static int do_layer_surface (SDL_Surface * surface, SDL_RWops * src, xcf_header
ox, oy);
}
+ if (!tile) {
+ if (hierarchy) {
+ free_xcf_hierarchy(hierarchy);
+ }
+ if (level) {
+ free_xcf_level(level);
+ }
+ return 1;
+ }
+
p8 = tile;
p16 = (Uint16 *) p8;
p = (Uint32 *) p8;
|