summaryrefslogtreecommitdiff
path: root/modules/tga/image_loader_tga.cpp
diff options
context:
space:
mode:
authorRémi Verschelde <rverschelde@gmail.com>2022-11-02 14:15:40 +0100
committerRémi Verschelde <rverschelde@gmail.com>2022-11-02 14:15:40 +0100
commita30ed00fb1c5226b20655d704d56e11ce9c606e0 (patch)
tree022d422b8a32ab05848bf74aed5775331e22f0af /modules/tga/image_loader_tga.cpp
parent87cdc2ea60ebb2dc1965d50087be30b768996fe3 (diff)
parent5cb07486db6fc53cc5a13e3451dd451e987f39d7 (diff)
Merge pull request #68057 from Klowner/tga-truncated-crash-fix-67985
Add buffer size check to Image.load_tga_from_buffer(). Fixes #67985
Diffstat (limited to 'modules/tga/image_loader_tga.cpp')
-rw-r--r--modules/tga/image_loader_tga.cpp8
1 files changed, 7 insertions, 1 deletions
diff --git a/modules/tga/image_loader_tga.cpp b/modules/tga/image_loader_tga.cpp
index a6fc650414..8adde3c5d3 100644
--- a/modules/tga/image_loader_tga.cpp
+++ b/modules/tga/image_loader_tga.cpp
@@ -284,14 +284,21 @@ Error ImageLoaderTGA::load_image(Ref<Image> p_image, Ref<FileAccess> f, BitField
err = FAILED;
}
+ uint64_t color_map_size;
if (has_color_map) {
if (tga_header.color_map_length > 256 || (tga_header.color_map_depth != 24) || tga_header.color_map_type != 1) {
err = FAILED;
}
+ color_map_size = tga_header.color_map_length * (tga_header.color_map_depth >> 3);
} else {
if (tga_header.color_map_type) {
err = FAILED;
}
+ color_map_size = 0;
+ }
+
+ if ((src_image_len - f->get_position()) < (tga_header.id_length + color_map_size)) {
+ err = FAILED; // TGA data appears to be truncated (fewer bytes than expected).
}
if (tga_header.image_width <= 0 || tga_header.image_height <= 0) {
@@ -308,7 +315,6 @@ Error ImageLoaderTGA::load_image(Ref<Image> p_image, Ref<FileAccess> f, BitField
Vector<uint8_t> palette;
if (has_color_map) {
- size_t color_map_size = tga_header.color_map_length * (tga_header.color_map_depth >> 3);
err = palette.resize(color_map_size);
if (err == OK) {
uint8_t *palette_w = palette.ptrw();