Sophie: plib-1.8.5-15.mga9 src

plib-1.8.5-15.mga9.src.rpm

Description: Prevent integer overflow in ssgLoadTGA() function. CVE-2021-38714
Author: Anton Gladky <gladk@debian.org>
Bug-Debian: https://bugs.debian.org/992973
Last-Update: 2021-10-02

Index: plib/src/ssg/ssgLoadTGA.cxx
===================================================================
--- plib.orig/src/ssg/ssgLoadTGA.cxx
+++ plib/src/ssg/ssgLoadTGA.cxx
@@ -23,6 +23,7 @@
 
 
 #include "ssgLocal.h"
+#include <new>
 
 #ifdef SSG_LOAD_TGA_SUPPORTED
 
@@ -169,9 +170,30 @@ bool ssgLoadTGA ( const char *fname, ssg
     }
 
 
+    const auto bytes_to_allocate = (bits / 8) * xsize * ysize;
+
+    if (xsize != 0 && ((ysize * (bits / 8)) != bytes_to_allocate / xsize))
+    {
+    	ulSetError( UL_WARNING, "Integer overflow in image size: xsize = %d, ysize = %d", xsize, ysize);
+	    return false;
+    }
+    else
+    {
+        ulSetError( UL_DEBUG, "ssgLoadTGA: Allocating %d bytes for the size %d x %d %s", bytes_to_allocate, xsize, ysize );
+    }
+
     // read image data
 
-    GLubyte *image = new GLubyte [ (bits / 8) * xsize * ysize ];
+    GLubyte *image;
+    try
+    {
+        image = new GLubyte [ bytes_to_allocate ];
+    }
+    catch (const std::bad_alloc& e)
+    {
+        ulSetError( UL_FATAL, "ssgLoadTGA:  allocation of %d bytes failed! Thrown error: %s", bytes_to_allocate, e.what());
+	    return false;
+    }
 
     if ((type & 8) != 0) 
     {