Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix a crash in the TGA loader with malformed input #45701

Merged
merged 1 commit into from
Feb 4, 2021
Merged

Fix a crash in the TGA loader with malformed input #45701

merged 1 commit into from
Feb 4, 2021

Conversation

hpvb
Copy link
Member

@hpvb hpvb commented Feb 4, 2021

Version for master.

@hpvb hpvb requested a review from akien-mga February 4, 2021 12:13
@hpvb
Copy link
Member Author

hpvb commented Feb 4, 2021

Thanks a lot to Carlos Ramirez Catano for reporting this bug. Attached are the files that show the issue.
poc-input.zip

@akien-mga akien-mga added this to the 4.0 milestone Feb 4, 2021
@akien-mga akien-mga mentioned this pull request Feb 4, 2021
Merged
@akien-mga akien-mga merged commit 59ae3ea into godotengine:master Feb 4, 2021
@akien-mga
Copy link
Member

Thanks!

@hpvb hpvb deleted the fix-tga-crash branch February 4, 2021 21:19
@CarlosAndresRamirez
Copy link

Thank you guys for the quick response. This issue needed immediate attention.
Keep up the good work.

@akien-mga
Copy link
Member

For the reference, the bug fixed by this PR was assigned those two CVEs:

@CarlosAndresRamirez
Copy link

CarlosAndresRamirez commented Mar 16, 2021
edited
Loading

Hello @hpvb @akien-mga
As Godot Engine is a leading open source project for game development, I was thinking it would be appropriate to provide some additional assurance to the community regarding quality and security best practices of the project. Recently, this is a key factor for companies/development teams when choosing their technology stack.

As an initial step the project could adopt something like https://securitytxt.org, do and document security reviews and other activities.

What do you think?
I am myself willing to support these initiatives.
Looking forward to hear your thoughts.

@Calinou Calinou mentioned this pull request May 15, 2021
Merged
@Calinou
Copy link
Member

Calinou commented Sep 15, 2021

@CarlosAndresRamirez As an update, we deployed security.txt on the Godot website: godotengine/godot-website#332

We're also adding a dedicated security contact email: godotengine/godot-website#365

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@akien-mga akien-mga akien-mga approved these changes

Assignees
No one assigned
Labels
bug crash topic:import
Projects
None yet
Milestone
4.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@hpvb @akien-mga @CarlosAndresRamirez @Calinou