diff options
| author | RĂ©mi Verschelde <remi@verschelde.fr> | 2021-10-03 17:41:43 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-10-03 17:41:43 +0200 |
| commit | 66ab3ce954a94fd43baed1dd74381dd32c893407 (patch) | |
| tree | ec60d4f5ecfbcfd1ed1cd3d6ab065338d916b82a /modules | |
| parent | a88e82078dfa1e06acad59eb34bf2bbb64ed5978 (diff) | |
| parent | ac5d7abe13b658078111b3144c748dc72bd287d1 (diff) | |
Merge pull request #46555 from gongpha/line-ptr-more-than-size-bmp
Check if the line pointer goes away from the image buffer's EOF in the BMP importer
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/bmp/image_loader_bmp.cpp | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/modules/bmp/image_loader_bmp.cpp b/modules/bmp/image_loader_bmp.cpp index 171895ed24..bd8342e1aa 100644 --- a/modules/bmp/image_loader_bmp.cpp +++ b/modules/bmp/image_loader_bmp.cpp @@ -91,11 +91,13 @@ Error ImageLoaderBMP::convert_to_image(Ref<Image> p_image, // the data width in case of 8/4/1 bit images const uint32_t w = bits_per_pixel >= 24 ? width : width_bytes; const uint8_t *line = p_buffer + (line_width * (height - 1)); + const uint8_t *end_buffer = p_buffer + p_header.bmp_file_header.bmp_file_size - p_header.bmp_file_header.bmp_file_offset; for (uint64_t i = 0; i < height; i++) { const uint8_t *line_ptr = line; for (unsigned int j = 0; j < w; j++) { + ERR_FAIL_COND_V(line_ptr >= end_buffer, ERR_FILE_CORRUPT); switch (bits_per_pixel) { case 1: { uint8_t color_index = *line_ptr; |