Check for some obviously bad inputs from corrupt/malicious data.
These all caused crashes during fuzzing.
This commit is contained in:
Ryan C. Gordon
parent
385b5d3cda
commit
b5d2296d5d
16
stb_image.h
16
stb_image.h
@ -4072,7 +4072,7 @@ static int stbi__zhuffman_decode_slowpath(stbi__zbuf *a, stbi__zhuffman *z)
|
||||
for (s=STBI__ZFAST_BITS+1; ; ++s)
|
||||
if (k < z->maxcode[s])
|
||||
break;
|
||||
if (s == 16) return -1; // invalid code!
|
||||
if (s >= 16) return -1; // invalid code!
|
||||
// code size is s, so:
|
||||
b = (k >> (16-s)) - z->firstcode[s] + z->firstsymbol[s];
|
||||
STBI_ASSERT(z->size[b] == s);
|
||||
@ -5060,10 +5060,12 @@ static void *stbi__do_png(stbi__png *p, int *x, int *y, int *n, int req_comp, st
|
||||
void *result=NULL;
|
||||
if (req_comp < 0 || req_comp > 4) return stbi__errpuc("bad req_comp", "Internal error");
|
||||
if (stbi__parse_png_file(p, STBI__SCAN_load, req_comp)) {
|
||||
if (p->depth < 8)
|
||||
if (p->depth <= 8)
|
||||
ri->bits_per_channel = 8;
|
||||
else if (p->depth == 16)
|
||||
ri->bits_per_channel = 16;
|
||||
else
|
||||
ri->bits_per_channel = p->depth;
|
||||
return stbi__errpuc("bad bits_per_channel", "PNG not supported: unsupported color depth");
|
||||
result = p->out;
|
||||
p->out = NULL;
|
||||
if (req_comp && req_comp != p->s->img_out_n) {
|
||||
@ -5224,6 +5226,8 @@ static void *stbi__bmp_parse_header(stbi__context *s, stbi__bmp_data *info)
|
||||
info->mr = info->mg = info->mb = info->ma = 0;
|
||||
info->extra_read = 14;
|
||||
|
||||
if (info->offset < 0) return stbi__errpuc("bad BMP", "bad BMP");
|
||||
|
||||
if (hsz != 12 && hsz != 40 && hsz != 56 && hsz != 108 && hsz != 124) return stbi__errpuc("unknown BMP", "BMP type not supported: unknown");
|
||||
if (hsz == 12) {
|
||||
s->img_x = stbi__get16le(s);
|
||||
@ -5424,6 +5428,7 @@ static void *stbi__bmp_load(stbi__context *s, int *x, int *y, int *comp, int req
|
||||
gshift = stbi__high_bit(mg)-7; gcount = stbi__bitcount(mg);
|
||||
bshift = stbi__high_bit(mb)-7; bcount = stbi__bitcount(mb);
|
||||
ashift = stbi__high_bit(ma)-7; acount = stbi__bitcount(ma);
|
||||
if (rcount > 8 || gcount > 8 || bcount > 8 || acount > 8) { STBI_FREE(out); return stbi__errpuc("bad masks", "Corrupt BMP"); }
|
||||
}
|
||||
for (j=0; j < (int) s->img_y; ++j) {
|
||||
if (easy) {
|
||||
@ -5687,6 +5692,11 @@ static void *stbi__tga_load(stbi__context *s, int *x, int *y, int *comp, int req
|
||||
// do I need to load a palette?
|
||||
if ( tga_indexed)
|
||||
{
|
||||
if (tga_palette_len == 0) { /* you have to have at least one entry! */
|
||||
STBI_FREE(tga_data);
|
||||
return stbi__errpuc("bad palette", "Corrupt TGA");
|
||||
}
|
||||
|
||||
// any data to skip? (offset usually = 0)
|
||||
stbi__skip(s, tga_palette_start );
|
||||
// load the palette
|
||||
|
||||
Loading…
Reference in New Issue
Block a user