Fix number overflows in TGA loader causing crashes

Image size calculation could overflow s32 in one place (but not others where it was done correct), which first lead to wrong amount of memory getting allocated for image data and later crash in the CColorConverter.
Thanks @sfan5 for his fuzzing tests @https://github.com/minetest/irrlicht/issues/236
and @erlehmann for passing them on: https://irrlicht.sourceforge.io/forum/viewtopic.php?t=52925
Also updating changes.txt with TGA loader changes from this and previous commits.


git-svn-id: svn://svn.code.sf.net/p/irrlicht/code/trunk@6535 dfc29bdd-3216-0410-991c-e03cc46cb475
This commit is contained in:
cutealien 2023-09-23 19:01:01 +00:00
parent 9f48103263
commit 298623541b
2 changed files with 4 additions and 1 deletions

View File

@ -1,6 +1,9 @@
--------------------------
Changes in 1.9 (not yet released)
- Fix number overflow in TGA loader causing crashes later on. Thanks @sfan5 for fuzzing test.
- Fix several buffer overflows in TGA loader. Thanks @erlehmann for report and @sfan5 for fuzzing test: https://github.com/minetest/irrlicht/issues/236
- TGA loader no longer reduces 24&32 bit TGA's with palettes to 16 bit. Thanks @erlehmann for report: https://irrlicht.sourceforge.io/forum/viewtopic.php?t=52925
- Fix compile error with OS X 10.10 SDK, bug #463. Thanks @Ryan Schmidt for report and patch.
- Optimize quaternion::rotationFromTo. Thanks @Robert Eisele for patch and proof (https://raw.org/proof/quaternion-from-two-vectors)
- Shader material example shows now how to pass material values.

View File

@ -163,7 +163,7 @@ IImage* CImageLoaderTGA::loadImage(io::IReadFile* file) const
header.ImageType == 3 // Uncompressed, black and white images
)
{
const s32 imageSize = header.ImageHeight * header.ImageWidth * header.PixelDepth/8;
const s32 imageSize = header.ImageHeight * header.ImageWidth * (header.PixelDepth/8);
data = new u8[imageSize];
file->read(data, imageSize);
}