Skip to content
Permalink
Browse files Browse the repository at this point in the history
bug #248, fix Out-Of-Bounds Read in read_image_tga
  • Loading branch information
oerdnj committed Jul 14, 2016
1 parent 2ea5232 commit 3c2b605
Showing 1 changed file with 26 additions and 8 deletions.
34 changes: 26 additions & 8 deletions src/gd_tga.c
Expand Up @@ -278,26 +278,44 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
buffer_caret = 0;

while( bitmap_caret < image_block_size ) {

if ((decompression_buffer[buffer_caret] & TGA_RLE_FLAG) == TGA_RLE_FLAG) {
encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & 127 ) + 1 );
buffer_caret++;

for (i = 0; i < encoded_pixels; i++) {
for (j = 0; j < pixel_block_size; j++, bitmap_caret++) {
tga->bitmap[ bitmap_caret ] = decompression_buffer[ buffer_caret + j ];
if (encoded_pixels != 0) {

if (!((buffer_caret + (encoded_pixels * pixel_block_size)) < image_block_size)) {
gdFree( decompression_buffer );
gdFree( conversion_buffer );
return -1;
}

for (i = 0; i < encoded_pixels; i++) {
for (j = 0; j < pixel_block_size; j++, bitmap_caret++) {
tga->bitmap[ bitmap_caret ] = decompression_buffer[ buffer_caret + j ];
}
}
}
buffer_caret += pixel_block_size;
} else {
encoded_pixels = decompression_buffer[ buffer_caret ] + 1;
buffer_caret++;

for (i = 0; i < encoded_pixels; i++) {
for( j = 0; j < pixel_block_size; j++, bitmap_caret++ ) {
tga->bitmap[ bitmap_caret ] = decompression_buffer[ buffer_caret + j ];
if (encoded_pixels != 0) {

if (!((buffer_caret + (encoded_pixels * pixel_block_size)) < image_block_size)) {
gdFree( decompression_buffer );
gdFree( conversion_buffer );
return -1;
}

for (i = 0; i < encoded_pixels; i++) {
for( j = 0; j < pixel_block_size; j++, bitmap_caret++ ) {
tga->bitmap[ bitmap_caret ] = decompression_buffer[ buffer_caret + j ];
}
buffer_caret += pixel_block_size;
}
buffer_caret += pixel_block_size;
}
}
}
Expand Down

0 comments on commit 3c2b605

Please sign in to comment.