Sophie: SDL_image-1.2.12-14.mga8 src

SDL_image-1.2.12-14.mga8.src.rpm

Description: xcf: deal with bogus data in rle tile decoding.
Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7df1580f1695

--- a/IMG_xcf.c
+++ b/IMG_xcf.c
@@ -470,6 +470,7 @@ static unsigned char * load_xcf_tile_rle (SDL_RWops * src, Uint32 len, int bpp,
   reallen = SDL_RWread (src, t, 1, len);
 
   data = (unsigned char *) malloc (x*y*bpp);
+  data = (unsigned char *) calloc (1, x*y*bpp);
   for (i = 0; i < bpp; i++) {
     d    = data + i;
     size = x*y;
@@ -486,6 +487,12 @@ static unsigned char * load_xcf_tile_rle (SDL_RWops * src, Uint32 len, int bpp,
 	  t += 2;
 	}
 
+	if (((size_t) (t - load) + length) >= len) {
+		break;  /* bogus data */
+	} else if (length > size) {
+		break;  /* bogus data */
+	}
+
 	count += length;
 	size -= length;
 
@@ -501,6 +508,12 @@ static unsigned char * load_xcf_tile_rle (SDL_RWops * src, Uint32 len, int bpp,
 	  t += 2;
 	}
 
+	if (((size_t) (t - load)) >= len) {
+		break;  /* bogus data */
+	} else if (length > size) {
+		break;  /* bogus data */
+	}
+
 	count += length;
 	size -= length;
 
@@ -512,6 +525,10 @@ static unsigned char * load_xcf_tile_rle (SDL_RWops * src, Uint32 len, int bpp,
 	}
       }
     }
+
+    if (size > 0) {
+      break;  /* just drop out, untouched data initialized to zero. */
+    }
   }
 
   free (load);