From 05ebc43222b7dd23cc919ddc963cd400bf6f0176 Mon Sep 17 00:00:00 2001 From: cutealien Date: Sat, 23 Sep 2023 16:34:42 +0000 Subject: [PATCH] Fix TGA's with bad palette colors reading from behind palette memory TGA's can claim to use less palette colors than they later do. We only support 8-bit palettes, so to make this safer lets just always allocate at least 256 bytes. Thanks @erlehmann for report and testcase: https://irrlicht.sourceforge.io/forum/viewtopic.php?p=307191 Based on Minetest bug report: https://github.com/minetest/irrlicht/issues/236 git-svn-id: svn://svn.code.sf.net/p/irrlicht/code/trunk@6532 dfc29bdd-3216-0410-991c-e03cc46cb475 --- source/Irrlicht/CImageLoaderTGA.cpp | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/source/Irrlicht/CImageLoaderTGA.cpp b/source/Irrlicht/CImageLoaderTGA.cpp index 51530432..56e58587 100644 --- a/source/Irrlicht/CImageLoaderTGA.cpp +++ b/source/Irrlicht/CImageLoaderTGA.cpp @@ -116,8 +116,17 @@ IImage* CImageLoaderTGA::loadImage(io::IReadFile* file) const if (header.ColorMapType) { - // create 32 bit palette - palette = new u32[ header.ColorMapLength]; + // Create 32 bit palette + const irr::u16 paletteSize = core::max_((u16)256, header.ColorMapLength); // ColorMapLength can lie, but so far we only use palette for 8-bit, so ensure it has 256 entries + palette = new u32[paletteSize]; + + if( paletteSize > header.ColorMapLength ) + { + // To catch images using palette colors with invalid indices + const irr::u32 errorCol = irr::video::SColor(255,255, 0, 205).color; // bright magenta + for ( irr::u16 i = header.ColorMapLength; i< paletteSize; ++i ) + palette[i] = errorCol; + } // read color map u8 * colorMap = new u8[header.ColorMapEntrySize/8 * header.ColorMapLength];