Fix 36385715 heap overflow when loading HDR files
Change-Id: I0fa1f69b4d87e32cfbd559db472cc89304ae2b37
Fix: 36385715
Test: PoC
(cherry picked from commit e6247a186731f593924c316382d4971f90126265)
diff --git a/gdx/jni/gdx2d/stb_image.h b/gdx/jni/gdx2d/stb_image.h
index 23254d6..1e48cc4 100644
--- a/gdx/jni/gdx2d/stb_image.h
+++ b/gdx/jni/gdx2d/stb_image.h
@@ -6064,10 +6064,15 @@
// Run
value = stbi__get8(s);
count -= 128;
+ if (count >= width - i) {
+ STBI_FREE(hdr_data);
+ STBI_FREE(scanline);
+ return stbi__errpf("invalid buffer size", "corrupt HDR");
+ }
for (z = 0; z < count; ++z)
scanline[i++ * 4 + k] = value;
} else {
- if (count > len) {
+ if (count >= width - i) {
STBI_FREE(hdr_data);
STBI_FREE(scanline);
return stbi__errpf("invalid buffer size", "corrupt HDR");