diff options
| author | android-build-team Robot <android-build-team-robot@google.com> | 2017-05-25 17:52:37 +0000 |
|---|---|---|
| committer | android-build-team Robot <android-build-team-robot@google.com> | 2017-05-25 17:52:37 +0000 |
| commit | a3ff11caa4d2d7837dcd180caab6b024098ef3f2 (patch) | |
| tree | 3b2aeb489a89efdf9800f46caffa112e14da7d34 /gdx/jni/gdx2d/stb_image.h | |
| parent | c7345dbf1329e992872e1d3ba4042ef5defcb8ce (diff) | |
| parent | 7966b4ed992915089e5e77adce1369e2642fa888 (diff) | |
| download | libgdx-nougat-mr1.5-release.tar.gz | |
Merge cherrypicks of [2315763, 2315554, 2315573, 2315765, 2315712, 2315595, 2315713, 2315746, 2315786, 2315799, 2315576, 2315800, 2315673, 2315821, 2315578, 2315597, 2315633, 2315598, 2315769, 2315716, 2315634, 2315823, 2315801, 2315636, 2315717, 2315772, 2315753, 2315803, 2315638, 2315840, 2315841, 2315842, 2315824, 2315791, 2315879, 2315804, 2315827, 2315863, 2315792, 2315864, 2315755, 2315882, 2315756, 2315828, 2315793, 2315865, 2315883, 2315899, 2315885, 2315796, 2315869, 2315923, 2315924, 2315943] into nyc-mr1-security-e-releaseandroid-7.1.1_r48android-7.1.1_r45nougat-mr1.5-release
Change-Id: I1e03f53cfb9e83e86274faeec47af6133292fbef
Diffstat (limited to 'gdx/jni/gdx2d/stb_image.h')
| -rw-r--r-- | gdx/jni/gdx2d/stb_image.h | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/gdx/jni/gdx2d/stb_image.h b/gdx/jni/gdx2d/stb_image.h index a9d338a2a..1e48cc40d 100644 --- a/gdx/jni/gdx2d/stb_image.h +++ b/gdx/jni/gdx2d/stb_image.h @@ -965,6 +965,9 @@ static unsigned char *stbi__load_main(stbi__context *s, int *x, int *y, int *com #ifndef STBI_NO_HDR if (stbi__hdr_test(s)) { float *hdr = stbi__hdr_load(s, x,y,comp,req_comp); + if (hdr == NULL) { + return NULL; + } return stbi__hdr_to_ldr(hdr, *x, *y, req_comp ? req_comp : *comp); } #endif @@ -6046,7 +6049,11 @@ static float *stbi__hdr_load(stbi__context *s, int *x, int *y, int *comp, int re } len <<= 8; len |= stbi__get8(s); - if (len != width) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("invalid decoded scanline length", "corrupt HDR"); } + if (len != width) { + STBI_FREE(hdr_data); + STBI_FREE(scanline); + return stbi__errpf("invalid decoded scanline length", "corrupt HDR"); + } if (scanline == NULL) scanline = (stbi_uc *) stbi__malloc(width * 4); for (k = 0; k < 4; ++k) { @@ -6057,9 +6064,19 @@ static float *stbi__hdr_load(stbi__context *s, int *x, int *y, int *comp, int re // Run value = stbi__get8(s); count -= 128; + if (count >= width - i) { + STBI_FREE(hdr_data); + STBI_FREE(scanline); + return stbi__errpf("invalid buffer size", "corrupt HDR"); + } for (z = 0; z < count; ++z) scanline[i++ * 4 + k] = value; } else { + if (count >= width - i) { + STBI_FREE(hdr_data); + STBI_FREE(scanline); + return stbi__errpf("invalid buffer size", "corrupt HDR"); + } // Dump for (z = 0; z < count; ++z) scanline[i++ * 4 + k] = stbi__get8(s); |