diff options
author | Campbell Barton <ideasman42@gmail.com> | 2020-11-11 08:14:09 +0300 |
---|---|---|
committer | Campbell Barton <ideasman42@gmail.com> | 2020-11-11 08:14:09 +0300 |
commit | 15ffda3bcd697e6f3a0cc13e141da865f36f3b53 (patch) | |
tree | f98d9fc831f18a9194818f5428466884654e802b /source/blender/imbuf/intern/radiance_hdr.c | |
parent | 2d60845786aeab099c61ffa42b7f72cccc68bff1 (diff) |
Fix T82602: checking image header reads past buffer bounds
Use the size argument to ensure checking the header doesn't read
past the buffer bounds when reading corrupt/truncated headers
from image files.
Diffstat (limited to 'source/blender/imbuf/intern/radiance_hdr.c')
-rw-r--r-- | source/blender/imbuf/intern/radiance_hdr.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/source/blender/imbuf/intern/radiance_hdr.c b/source/blender/imbuf/intern/radiance_hdr.c index d8b032dc5bd..285b18595f7 100644 --- a/source/blender/imbuf/intern/radiance_hdr.c +++ b/source/blender/imbuf/intern/radiance_hdr.c @@ -197,7 +197,7 @@ static void FLOAT2RGBE(const fCOLOR fcol, RGBE rgbe) /* ImBuf read */ -bool imb_is_a_hdr(const unsigned char *buf, size_t UNUSED(size)) +bool imb_is_a_hdr(const unsigned char *buf, const size_t size) { /* NOTE: `#?RADIANCE` is used by other programs such as `ImageMagik`, * Although there are some files in the wild that only use `#?` (from looking online). @@ -209,6 +209,9 @@ bool imb_is_a_hdr(const unsigned char *buf, size_t UNUSED(size)) * See: http://paulbourke.net/dataformats/pic/ */ const unsigned char magic[2] = {'#', '?'}; + if (size < sizeof(magic)) { + return false; + } return memcmp(buf, magic, sizeof(magic)) == 0; } |