Description: xcf: Prevent infinite loop and/or buffer overflow on bogus data. Origin: upstream, https://hg.libsdl.org/SDL_image/rev/c5f9cbb5d2bb --- a/IMG_xcf.c +++ b/IMG_xcf.c @@ -466,6 +466,10 @@ static unsigned char * load_xcf_tile_rle (SDL_RWops * src, Uint32 len, int bpp, int i, size, count, j, length; unsigned char val; + if (len == 0) { /* probably bogus data. */ + return NULL; + } + t = load = (unsigned char *) malloc (len); reallen = SDL_RWread (src, t, 1, len); @@ -581,6 +585,16 @@ static int do_layer_surface (SDL_Surface * surface, SDL_RWops * src, xcf_header ox, oy); } + if (!tile) { + if (hierarchy) { + free_xcf_hierarchy(hierarchy); + } + if (level) { + free_xcf_level(level); + } + return 1; + } + p8 = tile; p16 = (Uint16 *) p8; p = (Uint32 *) p8;