Merging r6555 through r6560 from branch releases/1.8 to trunk

- Fixing buffer overflow in tga loader

git-svn-id: svn://svn.code.sf.net/p/irrlicht/code/trunk@6561 dfc29bdd-3216-0410-991c-e03cc46cb475
This commit is contained in:
cutealien 2023-10-16 20:59:41 +00:00 committed by sfan5
parent 631c0fa77b
commit 4a7d3de89a

@ -31,10 +31,10 @@ u8 *CImageLoaderTGA::loadCompressedImage(io::IReadFile *file, const STGAHeader&
// This was written and sent in by Jon Pry, thank you very much! // This was written and sent in by Jon Pry, thank you very much!
// I only changed the formatting a little bit. // I only changed the formatting a little bit.
s32 bytesPerPixel = header.PixelDepth/8; const u32 bytesPerPixel = header.PixelDepth/8;
s32 imageSize = header.ImageHeight * header.ImageWidth * bytesPerPixel; const u32 imageSize = header.ImageHeight * header.ImageWidth * bytesPerPixel;
u8* data = new u8[imageSize]; u8* data = new u8[imageSize];
s32 currentByte = 0; u32 currentByte = 0;
while(currentByte < imageSize) while(currentByte < imageSize)
{ {
@ -45,8 +45,17 @@ u8 *CImageLoaderTGA::loadCompressedImage(io::IReadFile *file, const STGAHeader&
{ {
chunkheader++; // Add 1 To The Value To Get Total Number Of Raw Pixels chunkheader++; // Add 1 To The Value To Get Total Number Of Raw Pixels
file->read(&data[currentByte], bytesPerPixel * chunkheader); const u32 bytesToRead = bytesPerPixel * chunkheader;
currentByte += bytesPerPixel * chunkheader; if ( currentByte+bytesToRead < imageSize )
{
file->read(&data[currentByte], bytesToRead);
currentByte += bytesToRead;
}
else
{
os::Printer::log("Compressed TGA file RAW chunk tries writing beyond buffer", file->getFileName(), ELL_WARNING);
break;
}
} }
else else
{ {
@ -55,16 +64,23 @@ u8 *CImageLoaderTGA::loadCompressedImage(io::IReadFile *file, const STGAHeader&
// If It's An RLE Header // If It's An RLE Header
chunkheader -= 127; // Subtract 127 To Get Rid Of The ID Bit chunkheader -= 127; // Subtract 127 To Get Rid Of The ID Bit
s32 dataOffset = currentByte; u32 dataOffset = currentByte;
if ( dataOffset+bytesPerPixel < imageSize )
{
file->read(&data[dataOffset], bytesPerPixel); file->read(&data[dataOffset], bytesPerPixel);
currentByte += bytesPerPixel; currentByte += bytesPerPixel;
}
else
{
os::Printer::log("Compressed TGA file RLE headertries writing beyond buffer", file->getFileName(), ELL_WARNING);
break;
}
for(s32 counter = 1; counter < chunkheader; counter++) for(u32 counter = 1; counter < chunkheader; counter++)
{ {
if ( currentByte + bytesPerPixel <= imageSize ) if ( currentByte + bytesPerPixel <= imageSize )
{ {
for(s32 elementCounter=0; elementCounter < bytesPerPixel; elementCounter++) for(u32 elementCounter=0; elementCounter < bytesPerPixel; elementCounter++)
{ {
data[currentByte + elementCounter] = data[dataOffset + elementCounter]; data[currentByte + elementCounter] = data[dataOffset + elementCounter];
} }