Skip to content
Permalink
Browse files

Fix #247, A read out-of-bands was found in the parsing of TGA files (…

…CVE-2016-6132)
  • Loading branch information
oerdnj committed Jul 12, 2016
1 parent 0878ffd commit ead349e99868303b37f5e6e9d9d680c9dc71ff8d
Showing with 11 additions and 2 deletions.
  1. +11 −2 src/gd_tga.c
@@ -237,7 +237,11 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
return -1;
}

gdGetBuf(conversion_buffer, image_block_size, ctx);
if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
gd_error("gd-tga: premature end of image data\n");
gdFree(conversion_buffer);
return -1;
}

while (buffer_caret < image_block_size) {
tga->bitmap[buffer_caret] = (int) conversion_buffer[buffer_caret];
@@ -257,11 +261,16 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
}
conversion_buffer = (unsigned char *) gdMalloc(image_block_size * sizeof(unsigned char));
if (conversion_buffer == NULL) {
gd_error("gd-tga: premature end of image data\n");
gdFree( decompression_buffer );
return -1;
}

gdGetBuf( conversion_buffer, image_block_size, ctx );
if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
gdFree(conversion_buffer);
gdFree(decompression_buffer);
return -1;
}

buffer_caret = 0;

0 comments on commit ead349e

Please sign in to comment.
You can’t perform that action at this time.