From 113553341654ab1a2ff7c544fff489474a384554 Mon Sep 17 00:00:00 2001
From: Lucas Dupin <dupin@google.com>
Date: Fri, 7 Apr 2017 11:40:06 -0700
Subject: Fix heap overflow when loading a PSD. bug 36368305

Change-Id: I15192b7dc056050a04cc7ce0b93b3c0e5406e694
---
 gdx/jni/gdx2d/stb_image.h | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/gdx/jni/gdx2d/stb_image.h b/gdx/jni/gdx2d/stb_image.h
index d91b308af..a9d338a2a 100644
--- a/gdx/jni/gdx2d/stb_image.h
+++ b/gdx/jni/gdx2d/stb_image.h
@@ -5228,6 +5228,10 @@ static stbi_uc *stbi__psd_load(stbi__context *s, int *x, int *y, int *comp, int
                } else if (len < 128) {
                   // Copy next len+1 bytes literally.
                   len++;
+                  if (len >= pixelCount - count) {
+                     STBI_FREE(out);
+                     return stbi__errpuc("corruptfile", "Corrupt PSD file");
+                  }
                   count += len;
                   while (len) {
                      *p = stbi__get8(s);
@@ -5241,6 +5245,10 @@ static stbi_uc *stbi__psd_load(stbi__context *s, int *x, int *y, int *comp, int
                   len ^= 0x0FF;
                   len += 2;
                   val = stbi__get8(s);
+                  if (len >= pixelCount - count) {
+                     STBI_FREE(out);
+                     return stbi__errpuc("corruptfile", "Corrupt PSD file");
+                  }
                   count += len;
                   while (len) {
                      *p = val;
-- 
cgit v1.2.3