diff options
author | Lucas Dupin <dupin@google.com> | 2017-04-06 17:44:08 -0700 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2017-05-24 22:40:52 +0000 |
commit | d0952617abd79284d834d904362524cbc0d6edb1 (patch) | |
tree | 35e1c94c7cd48f357ca7c2a6f6c5991211cd2769 | |
parent | c9234136dfb07984a4e620fcac05dcaa7e8f3818 (diff) | |
download | libgdx-d0952617abd79284d834d904362524cbc0d6edb1.tar.gz |
Fix 36385715 heap overflow when loading HDR files
Change-Id: I9a177c9181bd46dabaa9bfee3573a2e99a6c935a
Fix: 36385715
Test: non-applicable
(cherry picked from commit 6f9470d49364010780cce22ce5c866c2f2f852a5)
-rw-r--r-- | gdx/jni/gdx2d/stb_image.h | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/gdx/jni/gdx2d/stb_image.h b/gdx/jni/gdx2d/stb_image.h index a9d338a2a..23254d64d 100644 --- a/gdx/jni/gdx2d/stb_image.h +++ b/gdx/jni/gdx2d/stb_image.h @@ -965,6 +965,9 @@ static unsigned char *stbi__load_main(stbi__context *s, int *x, int *y, int *com #ifndef STBI_NO_HDR if (stbi__hdr_test(s)) { float *hdr = stbi__hdr_load(s, x,y,comp,req_comp); + if (hdr == NULL) { + return NULL; + } return stbi__hdr_to_ldr(hdr, *x, *y, req_comp ? req_comp : *comp); } #endif @@ -6046,7 +6049,11 @@ static float *stbi__hdr_load(stbi__context *s, int *x, int *y, int *comp, int re } len <<= 8; len |= stbi__get8(s); - if (len != width) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("invalid decoded scanline length", "corrupt HDR"); } + if (len != width) { + STBI_FREE(hdr_data); + STBI_FREE(scanline); + return stbi__errpf("invalid decoded scanline length", "corrupt HDR"); + } if (scanline == NULL) scanline = (stbi_uc *) stbi__malloc(width * 4); for (k = 0; k < 4; ++k) { @@ -6060,6 +6067,11 @@ static float *stbi__hdr_load(stbi__context *s, int *x, int *y, int *comp, int re for (z = 0; z < count; ++z) scanline[i++ * 4 + k] = value; } else { + if (count > len) { + STBI_FREE(hdr_data); + STBI_FREE(scanline); + return stbi__errpf("invalid buffer size", "corrupt HDR"); + } // Dump for (z = 0; z < count; ++z) scanline[i++ * 4 + k] = stbi__get8(s); |