Fix crash caused by memory overwriting in TGA loader caused by bad RLE data

From sfan5's fuzzing test reported in Minetest here: https://github.com/minetest/irrlicht/issues/236
Was missing test if it writes beyond allocated memory which can be triggered by TGA's which lie in their RLE data.

git-svn-id: svn://svn.code.sf.net/p/irrlicht/code/trunk@6534 dfc29bdd-3216-0410-991c-e03cc46cb475
This commit is contained in:
cutealien 2023-09-23 18:33:46 +00:00
parent 74d3a9967f
commit 9f48103263

View File

@ -62,9 +62,14 @@ u8 *CImageLoaderTGA::loadCompressedImage(io::IReadFile *file, const STGAHeader&
currentByte += bytesPerPixel; currentByte += bytesPerPixel;
for(s32 counter = 1; counter < chunkheader; counter++) for(s32 counter = 1; counter < chunkheader; counter++)
{
if ( currentByte + bytesPerPixel <= imageSize )
{ {
for(s32 elementCounter=0; elementCounter < bytesPerPixel; elementCounter++) for(s32 elementCounter=0; elementCounter < bytesPerPixel; elementCounter++)
{
data[currentByte + elementCounter] = data[dataOffset + elementCounter]; data[currentByte + elementCounter] = data[dataOffset + elementCounter];
}
}
currentByte += bytesPerPixel; currentByte += bytesPerPixel;
} }