xcf: Fix potential buffer overflow on corrupt or maliciously-crafted XCF file.

icculus · icculus · commit 8373c58aa8c6 · 2018-09-26T14:58:31.000-04:00
diff --git a/IMG_xcf.c b/IMG_xcf.c
@@ -638,6 +638,9 @@ do_layer_surface(SDL_Surface * surface, SDL_RWops * src, xcf_header * head, xcf_
             p16 = (Uint16 *) p8;
             p = (Uint32 *) p8;
             for (y = ty; y < ty + oy; y++) {
+                if ((ty >= surface->h) || ((tx+ox) > surface->w)) {
+                    break;
+                }
                 row = (Uint32 *) ((Uint8 *) surface->pixels + y * surface->pitch + tx * 4);
                 switch (hierarchy->bpp) {
                 case 4:
