summaryrefslogtreecommitdiff
path: root/modules/bmp
diff options
context:
space:
mode:
authorRĂ©mi Verschelde <remi@verschelde.fr>2021-10-03 17:41:43 +0200
committerGitHub <noreply@github.com>2021-10-03 17:41:43 +0200
commit66ab3ce954a94fd43baed1dd74381dd32c893407 (patch)
treeec60d4f5ecfbcfd1ed1cd3d6ab065338d916b82a /modules/bmp
parenta88e82078dfa1e06acad59eb34bf2bbb64ed5978 (diff)
parentac5d7abe13b658078111b3144c748dc72bd287d1 (diff)
Merge pull request #46555 from gongpha/line-ptr-more-than-size-bmp
Check if the line pointer goes away from the image buffer's EOF in the BMP importer
Diffstat (limited to 'modules/bmp')
-rw-r--r--modules/bmp/image_loader_bmp.cpp2
1 files changed, 2 insertions, 0 deletions
diff --git a/modules/bmp/image_loader_bmp.cpp b/modules/bmp/image_loader_bmp.cpp
index 171895ed24..bd8342e1aa 100644
--- a/modules/bmp/image_loader_bmp.cpp
+++ b/modules/bmp/image_loader_bmp.cpp
@@ -91,11 +91,13 @@ Error ImageLoaderBMP::convert_to_image(Ref<Image> p_image,
// the data width in case of 8/4/1 bit images
const uint32_t w = bits_per_pixel >= 24 ? width : width_bytes;
const uint8_t *line = p_buffer + (line_width * (height - 1));
+ const uint8_t *end_buffer = p_buffer + p_header.bmp_file_header.bmp_file_size - p_header.bmp_file_header.bmp_file_offset;
for (uint64_t i = 0; i < height; i++) {
const uint8_t *line_ptr = line;
for (unsigned int j = 0; j < w; j++) {
+ ERR_FAIL_COND_V(line_ptr >= end_buffer, ERR_FILE_CORRUPT);
switch (bits_per_pixel) {
case 1: {
uint8_t color_index = *line_ptr;