From 298623541b28a2f035e9d248c37316373a689d0b Mon Sep 17 00:00:00 2001
From: cutealien <cutealien@dfc29bdd-3216-0410-991c-e03cc46cb475>
Date: Sat, 23 Sep 2023 19:01:01 +0000
Subject: [PATCH] Fix number overflows in TGA loader causing crashes Image size
 calculation could overflow s32 in one place (but not others where it was done
 correct), which first lead to wrong amount of memory getting allocated for
 image data and later crash in the CColorConverter. Thanks @sfan5 for his
 fuzzing tests @https://github.com/minetest/irrlicht/issues/236 and @erlehmann
 for passing them on:
 https://irrlicht.sourceforge.io/forum/viewtopic.php?t=52925 Also updating
 changes.txt with TGA loader changes from this and previous commits.

git-svn-id: svn://svn.code.sf.net/p/irrlicht/code/trunk@6535 dfc29bdd-3216-0410-991c-e03cc46cb475
---
 changes.txt                         | 3 +++
 source/Irrlicht/CImageLoaderTGA.cpp | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/changes.txt b/changes.txt
index ef49032..b66657a 100644
--- a/changes.txt
+++ b/changes.txt
@@ -1,6 +1,9 @@
 --------------------------
 Changes in 1.9 (not yet released)
 
+- Fix number overflow in TGA loader causing crashes later on. Thanks @sfan5 for fuzzing test.
+- Fix several buffer overflows in TGA loader. Thanks @erlehmann for report and @sfan5 for fuzzing test: https://github.com/minetest/irrlicht/issues/236
+- TGA loader no longer reduces 24&32 bit TGA's with palettes to 16 bit. Thanks @erlehmann for report: https://irrlicht.sourceforge.io/forum/viewtopic.php?t=52925
 - Fix compile error with OS X 10.10 SDK, bug #463. Thanks @Ryan Schmidt for report and patch.
 - Optimize quaternion::rotationFromTo. Thanks @Robert Eisele for patch and proof (https://raw.org/proof/quaternion-from-two-vectors)
 - Shader material example shows now how to pass material values.
diff --git a/source/Irrlicht/CImageLoaderTGA.cpp b/source/Irrlicht/CImageLoaderTGA.cpp
index bb0814a..05ee4b9 100644
--- a/source/Irrlicht/CImageLoaderTGA.cpp
+++ b/source/Irrlicht/CImageLoaderTGA.cpp
@@ -163,7 +163,7 @@ IImage* CImageLoaderTGA::loadImage(io::IReadFile* file) const
 			header.ImageType == 3 // Uncompressed, black and white images
 		)
 	{
-		const s32 imageSize = header.ImageHeight * header.ImageWidth * header.PixelDepth/8;
+		const s32 imageSize = header.ImageHeight * header.ImageWidth * (header.PixelDepth/8);
 		data = new u8[imageSize];
 	  	file->read(data, imageSize);
 	}