Description: xcf: deal with bogus data in rle tile decoding. Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7df1580f1695 --- a/IMG_xcf.c +++ b/IMG_xcf.c @@ -470,6 +470,7 @@ static unsigned char * load_xcf_tile_rle (SDL_RWops * src, Uint32 len, int bpp, reallen = SDL_RWread (src, t, 1, len); data = (unsigned char *) malloc (x*y*bpp); + data = (unsigned char *) calloc (1, x*y*bpp); for (i = 0; i < bpp; i++) { d = data + i; size = x*y; @@ -486,6 +487,12 @@ static unsigned char * load_xcf_tile_rle (SDL_RWops * src, Uint32 len, int bpp, t += 2; } + if (((size_t) (t - load) + length) >= len) { + break; /* bogus data */ + } else if (length > size) { + break; /* bogus data */ + } + count += length; size -= length; @@ -501,6 +508,12 @@ static unsigned char * load_xcf_tile_rle (SDL_RWops * src, Uint32 len, int bpp, t += 2; } + if (((size_t) (t - load)) >= len) { + break; /* bogus data */ + } else if (length > size) { + break; /* bogus data */ + } + count += length; size -= length; @@ -512,6 +525,10 @@ static unsigned char * load_xcf_tile_rle (SDL_RWops * src, Uint32 len, int bpp, } } } + + if (size > 0) { + break; /* just drop out, untouched data initialized to zero. */ + } } free (load);