Check if the line pointer goes away from the image buffer's EOF in the BMP importer #46555
Conversation
Calinou
added
bug
cherrypick:3.x
gongpha
force-pushed
the
line-ptr-more-than-size-bmp
branch
from
b68c10a
to
47d56dc
Compare
modules/bmp/image_loader_bmp.cpp
Outdated
| @@ -91,11 +91,13 @@ Error ImageLoaderBMP::convert_to_image(Ref<Image> p_image, | |||
| // the data width in case of 8/4/1 bit images | |||
| const uint32_t w = bits_per_pixel >= 24 ? width : width_bytes; | |||
| const uint8_t *line = p_buffer + (line_width * (height - 1)); | |||
| const uint8_t *end_buffer = p_buffer + p_header.bmp_info_header.bmp_size_image; | |||
There was a problem hiding this comment.
bmp_size_image do we trust this number? How is this calculated? I would expect the buffer size to be calculable from the size of the bmp.
There was a problem hiding this comment.
I found that buffer size is calculated from bmp_file_size - bmp_file_offset. However, if two variables are corrupt but the buffer had allocated as calculated. I think it may be safe to trust this calculation.
gongpha
force-pushed
the
line-ptr-more-than-size-bmp
branch
from
47d56dc
to
ac5d7ab
Compare
There was a problem hiding this comment.
- I tested that the bug still works on master, and also that this fixes it.
- Yep, that would be how you compute the buffer size, as evidenced here:
godot/modules/bmp/image_loader_bmp.cpp
Lines 280 to 281 in ac5d7ab
Would this change allow Godot to catch every possible case of a corrupted image? No, probably not. But it will prevent crashes!
I would argue the class would benefit from a refactor, but that is not here nor there.
|
Thanks! |
akien-mga
removed
the
cherrypick:3.x
Fixes #46542.
I wish there is a better way to handle this.