Fix 36385715 heap overflow when loading HDR files
Change-Id: I9a177c9181bd46dabaa9bfee3573a2e99a6c935a
Fix: 36385715
Test: non-applicable
(cherry picked from commit 6f9470d49364010780cce22ce5c866c2f2f852a5)
diff --git a/gdx/jni/gdx2d/stb_image.h b/gdx/jni/gdx2d/stb_image.h
index a9d338a..23254d6 100644
--- a/gdx/jni/gdx2d/stb_image.h
+++ b/gdx/jni/gdx2d/stb_image.h
@@ -965,6 +965,9 @@
#ifndef STBI_NO_HDR
if (stbi__hdr_test(s)) {
float *hdr = stbi__hdr_load(s, x,y,comp,req_comp);
+ if (hdr == NULL) {
+ return NULL;
+ }
return stbi__hdr_to_ldr(hdr, *x, *y, req_comp ? req_comp : *comp);
}
#endif
@@ -6046,7 +6049,11 @@
}
len <<= 8;
len |= stbi__get8(s);
- if (len != width) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("invalid decoded scanline length", "corrupt HDR"); }
+ if (len != width) {
+ STBI_FREE(hdr_data);
+ STBI_FREE(scanline);
+ return stbi__errpf("invalid decoded scanline length", "corrupt HDR");
+ }
if (scanline == NULL) scanline = (stbi_uc *) stbi__malloc(width * 4);
for (k = 0; k < 4; ++k) {
@@ -6060,6 +6067,11 @@
for (z = 0; z < count; ++z)
scanline[i++ * 4 + k] = value;
} else {
+ if (count > len) {
+ STBI_FREE(hdr_data);
+ STBI_FREE(scanline);
+ return stbi__errpf("invalid buffer size", "corrupt HDR");
+ }
// Dump
for (z = 0; z < count; ++z)
scanline[i++ * 4 + k] = stbi__get8(s);