forked from Mirrorlandia_minetest/irrlicht
Fix crash caused by memory overwriting in TGA loader caused by bad RLE data
From sfan5's fuzzing test reported in Minetest here: https://github.com/minetest/irrlicht/issues/236 Was missing test if it writes beyond allocated memory which can be triggered by TGA's which lie in their RLE data. git-svn-id: svn://svn.code.sf.net/p/irrlicht/code/trunk@6534 dfc29bdd-3216-0410-991c-e03cc46cb475
This commit is contained in:
parent
74d3a9967f
commit
9f48103263
@ -63,8 +63,13 @@ u8 *CImageLoaderTGA::loadCompressedImage(io::IReadFile *file, const STGAHeader&
|
|||||||
|
|
||||||
for(s32 counter = 1; counter < chunkheader; counter++)
|
for(s32 counter = 1; counter < chunkheader; counter++)
|
||||||
{
|
{
|
||||||
for(s32 elementCounter=0; elementCounter < bytesPerPixel; elementCounter++)
|
if ( currentByte + bytesPerPixel <= imageSize )
|
||||||
data[currentByte + elementCounter] = data[dataOffset + elementCounter];
|
{
|
||||||
|
for(s32 elementCounter=0; elementCounter < bytesPerPixel; elementCounter++)
|
||||||
|
{
|
||||||
|
data[currentByte + elementCounter] = data[dataOffset + elementCounter];
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
currentByte += bytesPerPixel;
|
currentByte += bytesPerPixel;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user