diff options
author | Lucas Dupin <dupin@google.com> | 2017-04-07 11:40:06 -0700 |
---|---|---|
committer | gitbuildkicker <android-build@google.com> | 2017-04-24 12:19:29 -0700 |
commit | 16e447a46fbe60584d6113390e039259dd723f68 (patch) | |
tree | 836801c4670db6fa8c58cc6c95a28b42663494aa | |
parent | e86eedd2e4af676ec6fdbdb5d8f4b8a87f7a6469 (diff) | |
download | libgdx-nougat-mr1-volantis-release.tar.gz |
Fix heap overflow when loading a PSD. bug 36368305android-7.1.1_r43nougat-mr1-volantis-release
Change-Id: Ia4480bcc9d06c80c4ccfb8b59d7ad1cf313d3479
Fix: 36368305
Bug: 36368305
Test: non-applicable
(cherry picked from commit 839cb7ebd84ed02ce52847da5275ab27d7515c79)
-rw-r--r-- | gdx/jni/gdx2d/stb_image.h | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/gdx/jni/gdx2d/stb_image.h b/gdx/jni/gdx2d/stb_image.h index d91b308af..a9d338a2a 100644 --- a/gdx/jni/gdx2d/stb_image.h +++ b/gdx/jni/gdx2d/stb_image.h @@ -5228,6 +5228,10 @@ static stbi_uc *stbi__psd_load(stbi__context *s, int *x, int *y, int *comp, int } else if (len < 128) { // Copy next len+1 bytes literally. len++; + if (len >= pixelCount - count) { + STBI_FREE(out); + return stbi__errpuc("corruptfile", "Corrupt PSD file"); + } count += len; while (len) { *p = stbi__get8(s); @@ -5241,6 +5245,10 @@ static stbi_uc *stbi__psd_load(stbi__context *s, int *x, int *y, int *comp, int len ^= 0x0FF; len += 2; val = stbi__get8(s); + if (len >= pixelCount - count) { + STBI_FREE(out); + return stbi__errpuc("corruptfile", "Corrupt PSD file"); + } count += len; while (len) { *p = val; |