summaryrefslogtreecommitdiff
path: root/modules/bmp
diff options
context:
space:
mode:
authorKongfa Waroros <gongpha@hotmail.com>2021-03-01 20:43:32 +0700
committerKongfa Waroros <gongpha@hotmail.com>2021-03-02 09:50:32 +0700
commitac5d7abe13b658078111b3144c748dc72bd287d1 (patch)
tree20e0a384f757231e36c39d5575caeba5208b1a1f /modules/bmp
parent09b5d6886f8ef736ca83e3ec965f50a2cb7152f2 (diff)
Check if the line pointer goes away from the image buffer's EOF in the BMP importer
Diffstat (limited to 'modules/bmp')
-rw-r--r--modules/bmp/image_loader_bmp.cpp2
1 files changed, 2 insertions, 0 deletions
diff --git a/modules/bmp/image_loader_bmp.cpp b/modules/bmp/image_loader_bmp.cpp
index c7fdf56af4..0a12293ae0 100644
--- a/modules/bmp/image_loader_bmp.cpp
+++ b/modules/bmp/image_loader_bmp.cpp
@@ -91,11 +91,13 @@ Error ImageLoaderBMP::convert_to_image(Ref<Image> p_image,
// the data width in case of 8/4/1 bit images
const uint32_t w = bits_per_pixel >= 24 ? width : width_bytes;
const uint8_t *line = p_buffer + (line_width * (height - 1));
+ const uint8_t *end_buffer = p_buffer + p_header.bmp_file_header.bmp_file_size - p_header.bmp_file_header.bmp_file_offset;
for (uint64_t i = 0; i < height; i++) {
const uint8_t *line_ptr = line;
for (unsigned int j = 0; j < w; j++) {
+ ERR_FAIL_COND_V(line_ptr >= end_buffer, ERR_FILE_CORRUPT);
switch (bits_per_pixel) {
case 1: {
uint8_t color_index = *line_ptr;