From 501185e9cc850a3609a83642b470139ead59eba8 Mon Sep 17 00:00:00 2001 From: cutealien Date: Tue, 21 Jun 2022 18:19:00 +0000 Subject: [PATCH] Fix checkDataSizeLimit test in png loader. I thought BitDepth was per pixel back then, but it's per channel. So limit could be broken. git-svn-id: svn://svn.code.sf.net/p/irrlicht/code/trunk@6409 dfc29bdd-3216-0410-991c-e03cc46cb475 --- source/Irrlicht/CImageLoaderPNG.cpp | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/source/Irrlicht/CImageLoaderPNG.cpp b/source/Irrlicht/CImageLoaderPNG.cpp index 08fc7201..02beb808 100644 --- a/source/Irrlicht/CImageLoaderPNG.cpp +++ b/source/Irrlicht/CImageLoaderPNG.cpp @@ -143,10 +143,10 @@ IImage* CImageLoaderPng::loadImage(io::IReadFile* file) const png_read_info(png_ptr, info_ptr); // Read the info section of the png file - u32 Width; - u32 Height; - s32 BitDepth; - s32 ColorType; + u32 Width=0; + u32 Height=0; + s32 BitDepth=0; + s32 ColorType=0; { // Use temporary variables to avoid passing cast pointers png_uint_32 w,h; @@ -158,9 +158,6 @@ IImage* CImageLoaderPng::loadImage(io::IReadFile* file) const Height=h; } - if (!IImage::checkDataSizeLimit((size_t)Width* Height * (BitDepth/8))) - png_cpexcept_error(png_ptr, "Image dimensions too large"); - // Convert palette color to true color if (ColorType==PNG_COLOR_TYPE_PALETTE) png_set_palette_to_rgb(png_ptr); @@ -223,12 +220,13 @@ IImage* CImageLoaderPng::loadImage(io::IReadFile* file) const #endif } + ECOLOR_FORMAT colorFormat = ColorType==PNG_COLOR_TYPE_RGB_ALPHA ? ECF_A8R8G8B8 : ECF_R8G8B8; + + if (!IImage::checkDataSizeLimit(IImage::getDataSizeFromFormat(colorFormat, Width, Height))) + png_cpexcept_error(png_ptr, "Image dimensions too large"); + // Create the image structure to be filled by png data - video::IImage* image = 0; - if (ColorType==PNG_COLOR_TYPE_RGB_ALPHA) - image = new CImage(ECF_A8R8G8B8, core::dimension2d(Width, Height)); - else - image = new CImage(ECF_R8G8B8, core::dimension2d(Width, Height)); + video::IImage* image = new CImage(colorFormat, core::dimension2du(Width, Height)); if (!image) { os::Printer::log("LOAD PNG: Internal PNG create image struct failure\n", file->getFileName(), ELL_ERROR);