Skip to content

[3.2] Fix a crash in the TGA loader with malformed input #45702

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Feb 4, 2021

Conversation

hpvb
Copy link
Member

@hpvb hpvb commented Feb 4, 2021

Version for 3.2 of #45701.

@hpvb hpvb requested a review from akien-mga February 4, 2021 12:13
@hpvb
Copy link
Member Author

hpvb commented Feb 4, 2021

Thanks a lot to Carlos Ramirez Catano for reporting this bug. Attached are the files that show the issue.
poc-input.zip

@akien-mga akien-mga added this to the 3.2 milestone Feb 4, 2021
@akien-mga akien-mga changed the title Fix a crash in the TGA loader with malformed input [3.2] Fix a crash in the TGA loader with malformed input Feb 4, 2021
@akien-mga akien-mga merged commit f42f6ed into godotengine:3.2 Feb 4, 2021
@akien-mga
Copy link
Member

Thanks!

@hpvb hpvb deleted the fix-tga-crash-32 branch February 4, 2021 21:19
gentoo-bot pushed a commit to gentoo/guru that referenced this pull request Feb 10, 2021
An integer overflow issue exists in Godot Engine up to v3.2 that can
be triggered when loading specially crafted.TGA image files. The
vulnerability exists in ImageLoaderTGA::load_image() function at line:

const size_t buffer_size = (tga_header.image_width * tga_header.image_height) * pixel_size;

The bug leads to Dynamic stack buffer overflow. Depending on the
context of the application, attack vector can be local or remote,
and can lead to code execution and/or system crash.

Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-26825
Reference: godotengine/godot#45702
Closes: https://bugs.gentoo.org/769761
Package-Manager: Portage-3.0.14, Repoman-3.0.2
Signed-off-by: Ross Charles Campbell <rossbridger.cc@gmail.com>
@akien-mga akien-mga modified the milestones: 3.2, 3.3 Apr 20, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants