From 565f14677c088ded21a78efafec9eda368629973 Mon Sep 17 00:00:00 2001 From: cutealien Date: Sat, 23 Sep 2023 18:33:46 +0000 Subject: [PATCH] Fix crash caused by memory overwriting in TGA loader caused by bad RLE data From sfan5's fuzzing test reported in Minetest here: https://github.com/minetest/irrlicht/issues/236 Was missing test if it writes beyond allocated memory which can be triggered by TGA's which lie in their RLE data. git-svn-id: svn://svn.code.sf.net/p/irrlicht/code/trunk@6534 dfc29bdd-3216-0410-991c-e03cc46cb475 --- source/Irrlicht/CImageLoaderTGA.cpp | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/source/Irrlicht/CImageLoaderTGA.cpp b/source/Irrlicht/CImageLoaderTGA.cpp index 887b8a23..2410ca13 100644 --- a/source/Irrlicht/CImageLoaderTGA.cpp +++ b/source/Irrlicht/CImageLoaderTGA.cpp @@ -62,8 +62,13 @@ u8 *CImageLoaderTGA::loadCompressedImage(io::IReadFile *file, const STGAHeader& for(s32 counter = 1; counter < chunkheader; counter++) { - for(s32 elementCounter=0; elementCounter < bytesPerPixel; elementCounter++) - data[currentByte + elementCounter] = data[dataOffset + elementCounter]; + if ( currentByte + bytesPerPixel <= imageSize ) + { + for(s32 elementCounter=0; elementCounter < bytesPerPixel; elementCounter++) + { + data[currentByte + elementCounter] = data[dataOffset + elementCounter]; + } + } currentByte += bytesPerPixel; }