diff options
author | Campbell Barton <ideasman42@gmail.com> | 2020-11-11 08:14:09 +0300 |
---|---|---|
committer | Campbell Barton <ideasman42@gmail.com> | 2020-11-11 08:14:09 +0300 |
commit | 15ffda3bcd697e6f3a0cc13e141da865f36f3b53 (patch) | |
tree | f98d9fc831f18a9194818f5428466884654e802b /source/blender/imbuf/intern/targa.c | |
parent | 2d60845786aeab099c61ffa42b7f72cccc68bff1 (diff) |
Fix T82602: checking image header reads past buffer bounds
Use the size argument to ensure checking the header doesn't read
past the buffer bounds when reading corrupt/truncated headers
from image files.
Diffstat (limited to 'source/blender/imbuf/intern/targa.c')
-rw-r--r-- | source/blender/imbuf/intern/targa.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/source/blender/imbuf/intern/targa.c b/source/blender/imbuf/intern/targa.c index 64dbf6deb4b..a9833623250 100644 --- a/source/blender/imbuf/intern/targa.c +++ b/source/blender/imbuf/intern/targa.c @@ -361,8 +361,12 @@ bool imb_savetarga(struct ImBuf *ibuf, const char *filepath, int UNUSED(flags)) return ok; } -static bool checktarga(TARGA *tga, const unsigned char *mem) +static bool checktarga(TARGA *tga, const unsigned char *mem, const size_t size) { + if (size < TARGA_HEADER_SIZE) { + return false; + } + tga->numid = mem[0]; tga->maptyp = mem[1]; tga->imgtyp = mem[2]; @@ -409,11 +413,11 @@ static bool checktarga(TARGA *tga, const unsigned char *mem) return true; } -bool imb_is_a_targa(const unsigned char *buf, size_t UNUSED(size)) +bool imb_is_a_targa(const unsigned char *buf, size_t size) { TARGA tga; - return checktarga(&tga, buf); + return checktarga(&tga, buf, size); } static void complete_partial_load(struct ImBuf *ibuf, unsigned int *rect) @@ -633,7 +637,7 @@ ImBuf *imb_loadtarga(const unsigned char *mem, int32_t cp_data; uchar *cp = (uchar *)&cp_data; - if (checktarga(&tga, mem) == 0) { + if (checktarga(&tga, mem, mem_size) == 0) { return NULL; } |