From 43c0f60523105c29e7e316c7666069ebd9c1b42a Mon Sep 17 00:00:00 2001
From: Campbell Barton <ideasman42@gmail.com>
Date: Tue, 20 Oct 2015 02:05:52 +1100
Subject: Fix T46534: Crash loading corrupt HDR's

---
 source/blender/imbuf/intern/radiance_hdr.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/source/blender/imbuf/intern/radiance_hdr.c b/source/blender/imbuf/intern/radiance_hdr.c
index 5bb438f5dbe..71e74928e20 100644
--- a/source/blender/imbuf/intern/radiance_hdr.c
+++ b/source/blender/imbuf/intern/radiance_hdr.c
@@ -137,6 +137,9 @@ static const unsigned char *freadcolrs(RGBE *scan, const unsigned char *mem, int
 			code = *mem++;
 			if (code > 128) {
 				code &= 127;
+				if (UNLIKELY(code + j > xmax)) {
+					return NULL;
+				}
 				val = *mem++;
 				while (code--) {
 					scan[j++][i] = (unsigned char)val;
@@ -146,6 +149,9 @@ static const unsigned char *freadcolrs(RGBE *scan, const unsigned char *mem, int
 				if (UNLIKELY(mem_eof - mem < code)) {
 					return NULL;
 				}
+				if (UNLIKELY(code + j > xmax)) {
+					return NULL;
+				}
 				while (code--) {
 					scan[j++][i] = *mem++;
 				}
-- 
cgit v1.2.3