minetest
/
irrlicht
mirror of https://github.com/minetest/irrlicht.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix number overflows in TGA loader causing crashes 

Image size calculation could overflow s32 in one place (but not others where it was done correct), which first lead to wrong amount of memory getting allocated for image data and later crash in the CColorConverter.
Thanks @sfan5 for his fuzzing tests @https://github.com/minetest/irrlicht/issues/236
and @erlehmann for passing them on: https://irrlicht.sourceforge.io/forum/viewtopic.php?t=52925
Also updating changes.txt with TGA loader changes from this and previous commits.

git-svn-id: svn://svn.code.sf.net/p/irrlicht/code/trunk@6535 dfc29bdd-3216-0410-991c-e03cc46cb475
This commit is contained in:
cutealien 2023-09-23 19:01:01 +00:00 committed by sfan5
parent 565f14677c
commit 9813b460e1
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
source/Irrlicht/CImageLoaderTGA.cpp
View File

@ -162,7 +162,7 @@ IImage* CImageLoaderTGA::loadImage(io::IReadFile* file) const
header.ImageType == 3 // Uncompressed, black and white images
)
{
const s32 imageSize = header.ImageHeight * header.ImageWidth * header.PixelDepth/8;
const s32 imageSize = header.ImageHeight * header.ImageWidth * (header.PixelDepth/8);
data = new u8[imageSize];
file->read(data, imageSize);
}