Add buffer size check to Image.load_tga_from_buffer(). Fixes #67985
(cherry picked from commit 5cb07486db
)
This commit is contained in:
parent
8065ac29c5
commit
c9adfec386
|
@ -265,14 +265,21 @@ Error ImageLoaderTGA::load_image(Ref<Image> p_image, FileAccess *f, bool p_force
|
||||||
err = FAILED;
|
err = FAILED;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
uint64_t color_map_size;
|
||||||
if (has_color_map) {
|
if (has_color_map) {
|
||||||
if (tga_header.color_map_length > 256 || (tga_header.color_map_depth != 24) || tga_header.color_map_type != 1) {
|
if (tga_header.color_map_length > 256 || (tga_header.color_map_depth != 24) || tga_header.color_map_type != 1) {
|
||||||
err = FAILED;
|
err = FAILED;
|
||||||
}
|
}
|
||||||
|
color_map_size = tga_header.color_map_length * (tga_header.color_map_depth >> 3);
|
||||||
} else {
|
} else {
|
||||||
if (tga_header.color_map_type) {
|
if (tga_header.color_map_type) {
|
||||||
err = FAILED;
|
err = FAILED;
|
||||||
}
|
}
|
||||||
|
color_map_size = 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ((src_image_len - f->get_position()) < (tga_header.id_length + color_map_size)) {
|
||||||
|
err = FAILED; // TGA data appears to be truncated (fewer bytes than expected).
|
||||||
}
|
}
|
||||||
|
|
||||||
if (tga_header.image_width <= 0 || tga_header.image_height <= 0) {
|
if (tga_header.image_width <= 0 || tga_header.image_height <= 0) {
|
||||||
|
@ -289,7 +296,6 @@ Error ImageLoaderTGA::load_image(Ref<Image> p_image, FileAccess *f, bool p_force
|
||||||
PoolVector<uint8_t> palette;
|
PoolVector<uint8_t> palette;
|
||||||
|
|
||||||
if (has_color_map) {
|
if (has_color_map) {
|
||||||
size_t color_map_size = tga_header.color_map_length * (tga_header.color_map_depth >> 3);
|
|
||||||
err = palette.resize(color_map_size);
|
err = palette.resize(color_map_size);
|
||||||
if (err == OK) {
|
if (err == OK) {
|
||||||
PoolVector<uint8_t>::Write palette_w = palette.write();
|
PoolVector<uint8_t>::Write palette_w = palette.write();
|
||||||
|
|
Loading…
Reference in New Issue