commit 506ace231604bf3d9e58aeb70d32e34fedf18427
author Lucas Dupin <dupin@google.com> Thu Apr 06 17:44:08 2017 -0700
committer android-build-team Robot <android-build-team-robot@google.com> Wed May 31 20:25:29 2017 +0000
tree 35e1c94c7cd48f357ca7c2a6f6c5991211cd2769
parent c9234136dfb07984a4e620fcac05dcaa7e8f3818

Fix 36385715 heap overflow when loading HDR files

Change-Id: I9a177c9181bd46dabaa9bfee3573a2e99a6c935a
Fix: 36385715
Test: non-applicable
(cherry picked from commit 6f9470d49364010780cce22ce5c866c2f2f852a5)

gdx/jni/gdx2d/stb_image.h

diff --git a/gdx/jni/gdx2d/stb_image.h b/gdx/jni/gdx2d/stb_image.h
index a9d338a..23254d6 100644
--- a/gdx/jni/gdx2d/stb_image.h
+++ b/gdx/jni/gdx2d/stb_image.h
@@ -965,6 +965,9 @@
    #ifndef STBI_NO_HDR
    if (stbi__hdr_test(s)) {
       float *hdr = stbi__hdr_load(s, x,y,comp,req_comp);
+      if (hdr == NULL) {
+         return NULL;
+      }
       return stbi__hdr_to_ldr(hdr, *x, *y, req_comp ? req_comp : *comp);
    }
    #endif
@@ -6046,7 +6049,11 @@
          }
          len <<= 8;
          len |= stbi__get8(s);
-         if (len != width) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("invalid decoded scanline length", "corrupt HDR"); }
+         if (len != width) {
+            STBI_FREE(hdr_data);
+            STBI_FREE(scanline);
+            return stbi__errpf("invalid decoded scanline length", "corrupt HDR");
+         }
          if (scanline == NULL) scanline = (stbi_uc *) stbi__malloc(width * 4);
 
          for (k = 0; k < 4; ++k) {
@@ -6060,6 +6067,11 @@
                   for (z = 0; z < count; ++z)
                      scanline[i++ * 4 + k] = value;
                } else {
+                  if (count > len) {
+                     STBI_FREE(hdr_data);
+                     STBI_FREE(scanline);
+                     return stbi__errpf("invalid buffer size", "corrupt HDR");
+                  }
                   // Dump
                   for (z = 0; z < count; ++z)
                      scanline[i++ * 4 + k] = stbi__get8(s);