From a5c9945bb8e6ad50d568965b9847a2f2c736fbfe Mon Sep 17 00:00:00 2001
From: sfan5 <sfan5@live.de>
Date: Mon, 18 Sep 2023 15:16:26 +0200
Subject: [PATCH] CImageLoaderBMP: fix palette overreads

---
 source/Irrlicht/CImageLoaderBMP.cpp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/source/Irrlicht/CImageLoaderBMP.cpp b/source/Irrlicht/CImageLoaderBMP.cpp
index a913101a..1fdebf5c 100644
--- a/source/Irrlicht/CImageLoaderBMP.cpp
+++ b/source/Irrlicht/CImageLoaderBMP.cpp
@@ -262,12 +262,16 @@ IImage* CImageLoaderBMP::loadImage(io::IReadFile* file) const
 	// read palette
 
 	long pos = file->getPos();
+	constexpr s32 paletteAllocSize = 256;
 	s32 paletteSize = (header.BitmapDataOffset - pos) / 4;
+	paletteSize = core::clamp(paletteSize, 0, paletteAllocSize);
 
 	s32* paletteData = 0;
 	if (paletteSize)
 	{
-		paletteData = new s32[paletteSize];
+		// always allocate an 8-bit palette to ensure enough space
+		paletteData = new s32[paletteAllocSize];
+		memset(paletteData, 0, paletteAllocSize * sizeof(s32));
 		file->read(paletteData, paletteSize * sizeof(s32));
 #ifdef __BIG_ENDIAN__
 		for (s32 i=0; i<paletteSize; ++i)