From c9adfec386a8afd76607e45a23f39136410fa7f8 Mon Sep 17 00:00:00 2001 From: Mark Riedesel Date: Sun, 30 Oct 2022 11:20:50 -0500 Subject: [PATCH] Add buffer size check to Image.load_tga_from_buffer(). Fixes #67985 (cherry picked from commit 5cb07486db6fc53cc5a13e3451dd451e987f39d7) --- modules/tga/image_loader_tga.cpp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/modules/tga/image_loader_tga.cpp b/modules/tga/image_loader_tga.cpp index 6edd75733f1..a05664f475b 100644 --- a/modules/tga/image_loader_tga.cpp +++ b/modules/tga/image_loader_tga.cpp @@ -265,14 +265,21 @@ Error ImageLoaderTGA::load_image(Ref p_image, FileAccess *f, bool p_force err = FAILED; } + uint64_t color_map_size; if (has_color_map) { if (tga_header.color_map_length > 256 || (tga_header.color_map_depth != 24) || tga_header.color_map_type != 1) { err = FAILED; } + color_map_size = tga_header.color_map_length * (tga_header.color_map_depth >> 3); } else { if (tga_header.color_map_type) { err = FAILED; } + color_map_size = 0; + } + + if ((src_image_len - f->get_position()) < (tga_header.id_length + color_map_size)) { + err = FAILED; // TGA data appears to be truncated (fewer bytes than expected). } if (tga_header.image_width <= 0 || tga_header.image_height <= 0) { @@ -289,7 +296,6 @@ Error ImageLoaderTGA::load_image(Ref p_image, FileAccess *f, bool p_force PoolVector palette; if (has_color_map) { - size_t color_map_size = tga_header.color_map_length * (tga_header.color_map_depth >> 3); err = palette.resize(color_map_size); if (err == OK) { PoolVector::Write palette_w = palette.write();