Fix #247, A read out-of-bands was found in the parsing of TGA files (C…

…VE-2016-6132)

src/gd_tga.c

@@ -237,7 +237,11 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
 			return -1;
 		}
 
-		gdGetBuf(conversion_buffer, image_block_size, ctx);
+		if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
+			gd_error("gd-tga: premature end of image data\n");
+			gdFree(conversion_buffer);
+			return -1;
+		}
 
 		while (buffer_caret < image_block_size) {
 			tga->bitmap[buffer_caret] = (int) conversion_buffer[buffer_caret];
@@ -257,11 +261,16 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
 		}
 		conversion_buffer = (unsigned char *) gdMalloc(image_block_size * sizeof(unsigned char));
 		if (conversion_buffer == NULL) {
+			gd_error("gd-tga: premature end of image data\n");
 			gdFree( decompression_buffer );
 			return -1;
 		}
 
-		gdGetBuf( conversion_buffer, image_block_size, ctx );
+		if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
+			gdFree(conversion_buffer);
+			gdFree(decompression_buffer);
+			return -1;
+		}
 
 		buffer_caret = 0;