--- imlib2-1.2.2/src/modules/loaders/loader_tga.c.cve-2006-4807-4808 2006-11-03 07:00:14.000000000 -0700
+++ imlib2-1.2.2/src/modules/loaders/loader_tga.c 2006-11-03 07:07:14.000000000 -0700
@@ -319,6 +319,7 @@ load(ImlibImage * im, ImlibProgressFunct
{
unsigned long datasize;
unsigned char *bufptr;
+ unsigned char *bufend;
DATA32 *dataptr;
int y, pl = 0;
@@ -348,6 +349,9 @@ load(ImlibImage * im, ImlibProgressFunct
/* bufptr is the next byte to be read from the buffer */
bufptr = filedata;
+ /* bufend is one past the last byte to be read from the buffer */
+ bufend = filedata + datasize;
+
/* dataptr is the next 32-bit pixel to be filled in */
dataptr = im->data;
@@ -365,7 +369,9 @@ load(ImlibImage * im, ImlibProgressFunct
else
dataptr = im->data + (y * im->w);
- for (x = 0; x < im->w; x++) /* for each pixel in the row */
+ for (x = 0; x < im->w
+ && bufptr+bpp/8 < bufend;
+ x++) /* for each pixel in the row */
{
switch (bpp)
{
@@ -422,13 +428,17 @@ load(ImlibImage * im, ImlibProgressFunct
unsigned char curbyte, red, green, blue, alpha;
DATA32 *final_pixel = dataptr + im->w * im->h;
- /* loop until we've got all the pixels */
- while (dataptr < final_pixel)
+ /* loop until we've got all the pixels or run out of input */
+ while (dataptr < final_pixel && bufptr+1+bpp/8 < bufend)
{
int count;
curbyte = *bufptr++;
count = (curbyte & 0x7F) + 1;
+ if (dataptr+count > final_pixel)
+ {
+ count = final_pixel - dataptr;
+ }
if (curbyte & 0x80) /* RLE packet */
{
