Description: Prevent integer overflow in ssgLoadTGA() function. CVE-2021-38714 Author: Anton Gladky <gladk@debian.org> Bug-Debian: https://bugs.debian.org/992973 Last-Update: 2021-10-02 Index: plib/src/ssg/ssgLoadTGA.cxx =================================================================== --- plib.orig/src/ssg/ssgLoadTGA.cxx +++ plib/src/ssg/ssgLoadTGA.cxx @@ -23,6 +23,7 @@ #include "ssgLocal.h" +#include <new> #ifdef SSG_LOAD_TGA_SUPPORTED @@ -169,9 +170,30 @@ bool ssgLoadTGA ( const char *fname, ssg } + const auto bytes_to_allocate = (bits / 8) * xsize * ysize; + + if (xsize != 0 && ((ysize * (bits / 8)) != bytes_to_allocate / xsize)) + { + ulSetError( UL_WARNING, "Integer overflow in image size: xsize = %d, ysize = %d", xsize, ysize); + return false; + } + else + { + ulSetError( UL_DEBUG, "ssgLoadTGA: Allocating %d bytes for the size %d x %d %s", bytes_to_allocate, xsize, ysize ); + } + // read image data - GLubyte *image = new GLubyte [ (bits / 8) * xsize * ysize ]; + GLubyte *image; + try + { + image = new GLubyte [ bytes_to_allocate ]; + } + catch (const std::bad_alloc& e) + { + ulSetError( UL_FATAL, "ssgLoadTGA: allocation of %d bytes failed! Thrown error: %s", bytes_to_allocate, e.what()); + return false; + } if ((type & 8) != 0) {