CImageLoaderBMP: fix palette overreads

2023-09-18 15:16:26 +02:00 · 2023-09-18 15:16:26 +02:00 · a5c9945bb8
parent cfb73d07d7
commit a5c9945bb8
1 changed files with 5 additions and 1 deletions
--- a/source/Irrlicht/CImageLoaderBMP.cpp
+++ b/source/Irrlicht/CImageLoaderBMP.cpp
@ -262,12 +262,16 @@ IImage* CImageLoaderBMP::loadImage(io::IReadFile* file) const
 	// read palette

 	long pos = file->getPos();
+	constexpr s32 paletteAllocSize = 256;
 	s32 paletteSize = (header.BitmapDataOffset - pos) / 4;
+	paletteSize = core::clamp(paletteSize, 0, paletteAllocSize);

 	s32* paletteData = 0;
 	if (paletteSize)
 	{
-		paletteData = new s32[paletteSize];
+		// always allocate an 8-bit palette to ensure enough space
+		paletteData = new s32[paletteAllocSize];
+		memset(paletteData, 0, paletteAllocSize * sizeof(s32));
 		file->read(paletteData, paletteSize * sizeof(s32));
 #ifdef __BIG_ENDIAN__
 		for (s32 i=0; i<paletteSize; ++i)