forked from Mirrorlandia_minetest/irrlicht
Fix crash caused by memory overwriting in TGA loader caused by bad RLE data
From sfan5's fuzzing test reported in Minetest here: https://github.com/minetest/irrlicht/issues/236 Was missing test if it writes beyond allocated memory which can be triggered by TGA's which lie in their RLE data. git-svn-id: svn://svn.code.sf.net/p/irrlicht/code/trunk@6534 dfc29bdd-3216-0410-991c-e03cc46cb475
This commit is contained in:
parent
f53af0f2cf
commit
565f14677c
@ -61,9 +61,14 @@ u8 *CImageLoaderTGA::loadCompressedImage(io::IReadFile *file, const STGAHeader&
|
|||||||
currentByte += bytesPerPixel;
|
currentByte += bytesPerPixel;
|
||||||
|
|
||||||
for(s32 counter = 1; counter < chunkheader; counter++)
|
for(s32 counter = 1; counter < chunkheader; counter++)
|
||||||
|
{
|
||||||
|
if ( currentByte + bytesPerPixel <= imageSize )
|
||||||
{
|
{
|
||||||
for(s32 elementCounter=0; elementCounter < bytesPerPixel; elementCounter++)
|
for(s32 elementCounter=0; elementCounter < bytesPerPixel; elementCounter++)
|
||||||
|
{
|
||||||
data[currentByte + elementCounter] = data[dataOffset + elementCounter];
|
data[currentByte + elementCounter] = data[dataOffset + elementCounter];
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
currentByte += bytesPerPixel;
|
currentByte += bytesPerPixel;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user