Fix number overflows in TGA loader causing crashes

Image size calculation could overflow s32 in one place (but not others where it was done correct), which first lead to wrong amount of memory getting allocated for image data and later crash in the CColorConverter. Thanks @sfan5 for his fuzzing tests @https://github.com/minetest/irrlicht/issues/236 and @erlehmann for passing them on: https://irrlicht.sourceforge.io/forum/viewtopic.php?t=52925 Also updating changes.txt with TGA loader changes from this and previous commits. git-svn-id: svn://svn.code.sf.net/p/irrlicht/code/trunk@6535 dfc29bdd-3216-0410-991c-e03cc46cb475
2023-09-23 19:01:01 +00:00 · 2023-09-23 19:01:01 +00:00 · 9813b460e1
commit 9813b460e1
parent 565f14677c
1 changed files with 1 additions and 1 deletions
--- a/source/Irrlicht/CImageLoaderTGA.cpp
+++ b/source/Irrlicht/CImageLoaderTGA.cpp
@ -162,7 +162,7 @@ IImage* CImageLoaderTGA::loadImage(io::IReadFile* file) const
 			header.ImageType == 3 // Uncompressed, black and white images
 		)
 	{
-		const s32 imageSize = header.ImageHeight * header.ImageWidth * header.PixelDepth/8;
+		const s32 imageSize = header.ImageHeight * header.ImageWidth * (header.PixelDepth/8);
 		data = new u8[imageSize];
 	  	file->read(data, imageSize);
 	}