diff options
author | Lucas Dupin <dupin@google.com> | 2017-04-07 11:40:06 -0700 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2017-04-21 20:39:09 +0000 |
commit | 113553341654ab1a2ff7c544fff489474a384554 (patch) | |
tree | 836801c4670db6fa8c58cc6c95a28b42663494aa | |
parent | 207fb034b5e898c53954474c5dc7aaec3955bb1d (diff) | |
download | libgdx-113553341654ab1a2ff7c544fff489474a384554.tar.gz |
Fix heap overflow when loading a PSD. bug 36368305
Change-Id: I15192b7dc056050a04cc7ce0b93b3c0e5406e694
-rw-r--r-- | gdx/jni/gdx2d/stb_image.h | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/gdx/jni/gdx2d/stb_image.h b/gdx/jni/gdx2d/stb_image.h index d91b308af..a9d338a2a 100644 --- a/gdx/jni/gdx2d/stb_image.h +++ b/gdx/jni/gdx2d/stb_image.h @@ -5228,6 +5228,10 @@ static stbi_uc *stbi__psd_load(stbi__context *s, int *x, int *y, int *comp, int } else if (len < 128) { // Copy next len+1 bytes literally. len++; + if (len >= pixelCount - count) { + STBI_FREE(out); + return stbi__errpuc("corruptfile", "Corrupt PSD file"); + } count += len; while (len) { *p = stbi__get8(s); @@ -5241,6 +5245,10 @@ static stbi_uc *stbi__psd_load(stbi__context *s, int *x, int *y, int *comp, int len ^= 0x0FF; len += 2; val = stbi__get8(s); + if (len >= pixelCount - count) { + STBI_FREE(out); + return stbi__errpuc("corruptfile", "Corrupt PSD file"); + } count += len; while (len) { *p = val; |