Merge branch 'stb-image-fuzzing-fixes' of https://github.com/rcgordon/stb into working

This commit is contained in:
Sean Barrett 2020-07-13 03:53:53 -07:00
commit bfaccab17a

View File

@ -93,22 +93,30 @@ RECENT REVISION HISTORY:
Carmelo J Fdez-Aguera Carmelo J Fdez-Aguera
Bug & warning fixes Bug & warning fixes
Marc LeBlanc David Woo Guillaume George Martins Mozeiko Marc LeBlanc David Woo Guillaume George Martins Mozeiko
Christpher Lloyd Jerry Jansson Joseph Thomson Phil Jordan Christpher Lloyd Jerry Jansson Joseph Thomson Blazej Dariusz Roszkowski
Dave Moore Roy Eltham Hayaki Saito Nathan Reed Phil Jordan Dave Moore Roy Eltham
Won Chun Luke Graham Johan Duparc Nick Verigakis Hayaki Saito Nathan Reed Won Chun
the Horde3D community Thomas Ruf Ronny Chevalier github:rlyeh Luke Graham Johan Duparc Nick Verigakis the Horde3D community
Janez Zemva John Bartholomew Michal Cichon github:romigrou Thomas Ruf Ronny Chevalier github:rlyeh
Jonathan Blow Ken Hamada Tero Hanninen github:svdijk Janez Zemva John Bartholomew Michal Cichon github:romigrou
Laurent Gomila Cort Stratton Sergio Gonzalez github:snagar Jonathan Blow Ken Hamada Tero Hanninen github:svdijk
Aruelien Pocheville Thibault Reuille Cass Everitt github:Zelex Laurent Gomila Cort Stratton github:snagar
Ryamond Barbiero Paul Du Bois Engin Manap github:grim210 Aruelien Pocheville Sergio Gonzalez Thibault Reuille github:Zelex
Aldo Culquicondor Philipp Wiesemann Dale Weiler github:sammyhw Cass Everitt Ryamond Barbiero github:grim210
Oriol Ferrer Mesia Josh Tobin Matthew Gregan github:phprus Paul Du Bois Engin Manap Aldo Culquicondor github:sammyhw
Julian Raschke Gregory Mullen Baldur Karlsson github:poppolopoppo Philipp Wiesemann Dale Weiler Oriol Ferrer Mesia github:phprus
Christian Floisand Kevin Schmidt JR Smith github:darealshinji Josh Tobin Matthew Gregan github:poppolopoppo
Brad Weinberger Matvey Cherevko Luca Sas github:Michaelangel007 Julian Raschke Gregory Mullen Christian Floisand github:darealshinji
Blazej Dariusz Roszkowski Alexander Veselov Zack Middleton Baldur Karlsson Kevin Schmidt JR Smith github:Michaelangel007
Brad Weinberger Matvey Cherevko [reserved]
Luca Sas Alexander Veselov Zack Middleton [reserved]
Ryan C. Gordon [reserved] [reserved]
DO NOT ADD YOUR NAME HERE
To add your name to the credits, pick a random blank space in the middle and fill it.
80% of merge conflicts on stb PRs are due to people adding their name at the end
of the credits.
*/ */
#ifndef STBI_INCLUDE_STB_IMAGE_H #ifndef STBI_INCLUDE_STB_IMAGE_H
@ -318,7 +326,14 @@ RECENT REVISION HISTORY:
// - If you use STBI_NO_PNG (or _ONLY_ without PNG), and you still // - If you use STBI_NO_PNG (or _ONLY_ without PNG), and you still
// want the zlib decoder to be available, #define STBI_SUPPORT_ZLIB // want the zlib decoder to be available, #define STBI_SUPPORT_ZLIB
// //
// - If you define STBI_MAX_DIMENSIONS, stb_image will reject images greater
// than that size (in either width or height) without further processing.
// This is to let programs in the wild set an upper bound to prevent
// denial-of-service attacks on untrusted data, as one could generate a
// valid image of gigantic dimensions and force stb_image to allocate a
// huge block of memory and spend disproportionate time decoding it. By
// default this is set to (1 << 24), which is 16777216, but that's still
// very big.
#ifndef STBI_NO_STDIO #ifndef STBI_NO_STDIO
#include <stdio.h> #include <stdio.h>
@ -734,6 +749,10 @@ static int stbi__sse2_available(void)
#define STBI_SIMD_ALIGN(type, name) type name #define STBI_SIMD_ALIGN(type, name) type name
#endif #endif
#ifndef STBI_MAX_DIMENSIONS
#define STBI_MAX_DIMENSIONS (1 << 24)
#endif
/////////////////////////////////////////////// ///////////////////////////////////////////////
// //
// stbi__context struct and start_xxx functions // stbi__context struct and start_xxx functions
@ -792,12 +811,17 @@ static int stbi__stdio_read(void *user, char *data, int size)
static void stbi__stdio_skip(void *user, int n) static void stbi__stdio_skip(void *user, int n)
{ {
int ch;
fseek((FILE*) user, n, SEEK_CUR); fseek((FILE*) user, n, SEEK_CUR);
ch = fgetc((FILE*) user); /* have to read a byte to reset feof()'s flag */
if (ch != EOF) {
ungetc(ch, (FILE *) user); /* push byte back onto stream if valid. */
}
} }
static int stbi__stdio_eof(void *user) static int stbi__stdio_eof(void *user)
{ {
return feof((FILE*) user); return feof((FILE*) user) || ferror((FILE *) user);
} }
static stbi_io_callbacks stbi__stdio_callbacks = static stbi_io_callbacks stbi__stdio_callbacks =
@ -1174,8 +1198,10 @@ static unsigned char *stbi__load_and_postprocess_8bit(stbi__context *s, int *x,
if (result == NULL) if (result == NULL)
return NULL; return NULL;
// it is the responsibility of the loaders to make sure we get either 8 or 16 bit.
STBI_ASSERT(ri.bits_per_channel == 8 || ri.bits_per_channel == 16);
if (ri.bits_per_channel != 8) { if (ri.bits_per_channel != 8) {
STBI_ASSERT(ri.bits_per_channel == 16);
result = stbi__convert_16_to_8((stbi__uint16 *) result, *x, *y, req_comp == 0 ? *comp : req_comp); result = stbi__convert_16_to_8((stbi__uint16 *) result, *x, *y, req_comp == 0 ? *comp : req_comp);
ri.bits_per_channel = 8; ri.bits_per_channel = 8;
} }
@ -1198,8 +1224,10 @@ static stbi__uint16 *stbi__load_and_postprocess_16bit(stbi__context *s, int *x,
if (result == NULL) if (result == NULL)
return NULL; return NULL;
// it is the responsibility of the loaders to make sure we get either 8 or 16 bit.
STBI_ASSERT(ri.bits_per_channel == 8 || ri.bits_per_channel == 16);
if (ri.bits_per_channel != 16) { if (ri.bits_per_channel != 16) {
STBI_ASSERT(ri.bits_per_channel == 8);
result = stbi__convert_8_to_16((stbi_uc *) result, *x, *y, req_comp == 0 ? *comp : req_comp); result = stbi__convert_8_to_16((stbi_uc *) result, *x, *y, req_comp == 0 ? *comp : req_comp);
ri.bits_per_channel = 16; ri.bits_per_channel = 16;
} }
@ -1548,6 +1576,7 @@ stbi_inline static int stbi__at_eof(stbi__context *s)
#else #else
static void stbi__skip(stbi__context *s, int n) static void stbi__skip(stbi__context *s, int n)
{ {
if (n == 0) return; // already there!
if (n < 0) { if (n < 0) {
s->img_buffer = s->img_buffer_end; s->img_buffer = s->img_buffer_end;
return; return;
@ -1690,7 +1719,7 @@ static unsigned char *stbi__convert_format(unsigned char *data, int img_n, int r
STBI__CASE(4,1) { dest[0]=stbi__compute_y(src[0],src[1],src[2]); } break; STBI__CASE(4,1) { dest[0]=stbi__compute_y(src[0],src[1],src[2]); } break;
STBI__CASE(4,2) { dest[0]=stbi__compute_y(src[0],src[1],src[2]); dest[1] = src[3]; } break; STBI__CASE(4,2) { dest[0]=stbi__compute_y(src[0],src[1],src[2]); dest[1] = src[3]; } break;
STBI__CASE(4,3) { dest[0]=src[0];dest[1]=src[1];dest[2]=src[2]; } break; STBI__CASE(4,3) { dest[0]=src[0];dest[1]=src[1];dest[2]=src[2]; } break;
default: STBI_ASSERT(0); default: STBI_ASSERT(0); STBI_FREE(data); STBI_FREE(good); return stbi__errpuc("unsupported", "Unsupported format conversion");
} }
#undef STBI__CASE #undef STBI__CASE
} }
@ -1747,7 +1776,7 @@ static stbi__uint16 *stbi__convert_format16(stbi__uint16 *data, int img_n, int r
STBI__CASE(4,1) { dest[0]=stbi__compute_y_16(src[0],src[1],src[2]); } break; STBI__CASE(4,1) { dest[0]=stbi__compute_y_16(src[0],src[1],src[2]); } break;
STBI__CASE(4,2) { dest[0]=stbi__compute_y_16(src[0],src[1],src[2]); dest[1] = src[3]; } break; STBI__CASE(4,2) { dest[0]=stbi__compute_y_16(src[0],src[1],src[2]); dest[1] = src[3]; } break;
STBI__CASE(4,3) { dest[0]=src[0];dest[1]=src[1];dest[2]=src[2]; } break; STBI__CASE(4,3) { dest[0]=src[0];dest[1]=src[1];dest[2]=src[2]; } break;
default: STBI_ASSERT(0); default: STBI_ASSERT(0); STBI_FREE(data); STBI_FREE(good); return (stbi__uint16*) stbi__errpuc("unsupported", "Unsupported format conversion");
} }
#undef STBI__CASE #undef STBI__CASE
} }
@ -2056,7 +2085,7 @@ stbi_inline static int stbi__extend_receive(stbi__jpeg *j, int n)
sgn = (stbi__int32)j->code_buffer >> 31; // sign bit is always in MSB sgn = (stbi__int32)j->code_buffer >> 31; // sign bit is always in MSB
k = stbi_lrot(j->code_buffer, n); k = stbi_lrot(j->code_buffer, n);
STBI_ASSERT(n >= 0 && n < (int) (sizeof(stbi__bmask)/sizeof(*stbi__bmask))); if (n < 0 || n >= (int) (sizeof(stbi__bmask)/sizeof(*stbi__bmask))) return 0;
j->code_buffer = k & ~stbi__bmask[n]; j->code_buffer = k & ~stbi__bmask[n];
k &= stbi__bmask[n]; k &= stbi__bmask[n];
j->code_bits -= n; j->code_bits -= n;
@ -2167,6 +2196,7 @@ static int stbi__jpeg_decode_block_prog_dc(stbi__jpeg *j, short data[64], stbi__
// first scan for DC coefficient, must be first // first scan for DC coefficient, must be first
memset(data,0,64*sizeof(data[0])); // 0 all the ac values now memset(data,0,64*sizeof(data[0])); // 0 all the ac values now
t = stbi__jpeg_huff_decode(j, hdc); t = stbi__jpeg_huff_decode(j, hdc);
if (t == -1) return stbi__err("can't merge dc and ac", "Corrupt JPEG");
diff = t ? stbi__extend_receive(j, t) : 0; diff = t ? stbi__extend_receive(j, t) : 0;
dc = j->img_comp[b].dc_pred + diff; dc = j->img_comp[b].dc_pred + diff;
@ -3157,6 +3187,8 @@ static int stbi__process_frame_header(stbi__jpeg *z, int scan)
p = stbi__get8(s); if (p != 8) return stbi__err("only 8-bit","JPEG format not supported: 8-bit only"); // JPEG baseline p = stbi__get8(s); if (p != 8) return stbi__err("only 8-bit","JPEG format not supported: 8-bit only"); // JPEG baseline
s->img_y = stbi__get16be(s); if (s->img_y == 0) return stbi__err("no header height", "JPEG format not supported: delayed height"); // Legal, but we don't handle it--but neither does IJG s->img_y = stbi__get16be(s); if (s->img_y == 0) return stbi__err("no header height", "JPEG format not supported: delayed height"); // Legal, but we don't handle it--but neither does IJG
s->img_x = stbi__get16be(s); if (s->img_x == 0) return stbi__err("0 width","Corrupt JPEG"); // JPEG requires s->img_x = stbi__get16be(s); if (s->img_x == 0) return stbi__err("0 width","Corrupt JPEG"); // JPEG requires
if (s->img_y > STBI_MAX_DIMENSIONS) return stbi__err("too large","Very large image (corrupt?)");
if (s->img_x > STBI_MAX_DIMENSIONS) return stbi__err("too large","Very large image (corrupt?)");
c = stbi__get8(s); c = stbi__get8(s);
if (c != 3 && c != 1 && c != 4) return stbi__err("bad component count","Corrupt JPEG"); if (c != 3 && c != 1 && c != 4) return stbi__err("bad component count","Corrupt JPEG");
s->img_n = c; s->img_n = c;
@ -4037,16 +4069,23 @@ typedef struct
stbi__zhuffman z_length, z_distance; stbi__zhuffman z_length, z_distance;
} stbi__zbuf; } stbi__zbuf;
stbi_inline static int stbi__zeof(stbi__zbuf *z)
{
return (z->zbuffer >= z->zbuffer_end);
}
stbi_inline static stbi_uc stbi__zget8(stbi__zbuf *z) stbi_inline static stbi_uc stbi__zget8(stbi__zbuf *z)
{ {
if (z->zbuffer >= z->zbuffer_end) return 0; return stbi__zeof(z) ? 0 : *z->zbuffer++;
return *z->zbuffer++;
} }
static void stbi__fill_bits(stbi__zbuf *z) static void stbi__fill_bits(stbi__zbuf *z)
{ {
do { do {
STBI_ASSERT(z->code_buffer < (1U << z->num_bits)); if (z->code_buffer >= (1U << z->num_bits)) {
z->zbuffer = z->zbuffer_end; /* treat this as EOF so we fail. */
return;
}
z->code_buffer |= (unsigned int) stbi__zget8(z) << z->num_bits; z->code_buffer |= (unsigned int) stbi__zget8(z) << z->num_bits;
z->num_bits += 8; z->num_bits += 8;
} while (z->num_bits <= 24); } while (z->num_bits <= 24);
@ -4071,10 +4110,11 @@ static int stbi__zhuffman_decode_slowpath(stbi__zbuf *a, stbi__zhuffman *z)
for (s=STBI__ZFAST_BITS+1; ; ++s) for (s=STBI__ZFAST_BITS+1; ; ++s)
if (k < z->maxcode[s]) if (k < z->maxcode[s])
break; break;
if (s == 16) return -1; // invalid code! if (s >= 16) return -1; // invalid code!
// code size is s, so: // code size is s, so:
b = (k >> (16-s)) - z->firstcode[s] + z->firstsymbol[s]; b = (k >> (16-s)) - z->firstcode[s] + z->firstsymbol[s];
STBI_ASSERT(z->size[b] == s); if (b >= sizeof (z->size)) return -1; // some data was corrupt somewhere!
if (z->size[b] != s) return -1; // was originally an assert, but report failure instead.
a->code_buffer >>= s; a->code_buffer >>= s;
a->num_bits -= s; a->num_bits -= s;
return z->value[b]; return z->value[b];
@ -4083,7 +4123,12 @@ static int stbi__zhuffman_decode_slowpath(stbi__zbuf *a, stbi__zhuffman *z)
stbi_inline static int stbi__zhuffman_decode(stbi__zbuf *a, stbi__zhuffman *z) stbi_inline static int stbi__zhuffman_decode(stbi__zbuf *a, stbi__zhuffman *z)
{ {
int b,s; int b,s;
if (a->num_bits < 16) stbi__fill_bits(a); if (a->num_bits < 16) {
if (stbi__zeof(a)) {
return -1; /* report error for unexpected end of data. */
}
stbi__fill_bits(a);
}
b = z->fast[a->code_buffer & STBI__ZFAST_MASK]; b = z->fast[a->code_buffer & STBI__ZFAST_MASK];
if (b) { if (b) {
s = b >> 9; s = b >> 9;
@ -4097,13 +4142,16 @@ stbi_inline static int stbi__zhuffman_decode(stbi__zbuf *a, stbi__zhuffman *z)
static int stbi__zexpand(stbi__zbuf *z, char *zout, int n) // need to make room for n bytes static int stbi__zexpand(stbi__zbuf *z, char *zout, int n) // need to make room for n bytes
{ {
char *q; char *q;
int cur, limit, old_limit; unsigned int cur, limit, old_limit;
z->zout = zout; z->zout = zout;
if (!z->z_expandable) return stbi__err("output buffer limit","Corrupt PNG"); if (!z->z_expandable) return stbi__err("output buffer limit","Corrupt PNG");
cur = (int) (z->zout - z->zout_start); cur = (unsigned int) (z->zout - z->zout_start);
limit = old_limit = (int) (z->zout_end - z->zout_start); limit = old_limit = (unsigned) (z->zout_end - z->zout_start);
while (cur + n > limit) if (UINT_MAX - cur < (unsigned) n) return stbi__err("outofmem", "Out of memory");
while (cur + n > limit) {
if(limit > UINT_MAX / 2) return stbi__err("outofmem", "Out of memory");
limit *= 2; limit *= 2;
}
q = (char *) STBI_REALLOC_SIZED(z->zout_start, old_limit, limit); q = (char *) STBI_REALLOC_SIZED(z->zout_start, old_limit, limit);
STBI_NOTUSED(old_limit); STBI_NOTUSED(old_limit);
if (q == NULL) return stbi__err("outofmem", "Out of memory"); if (q == NULL) return stbi__err("outofmem", "Out of memory");
@ -4201,11 +4249,12 @@ static int stbi__compute_huffman_codes(stbi__zbuf *a)
c = stbi__zreceive(a,2)+3; c = stbi__zreceive(a,2)+3;
if (n == 0) return stbi__err("bad codelengths", "Corrupt PNG"); if (n == 0) return stbi__err("bad codelengths", "Corrupt PNG");
fill = lencodes[n-1]; fill = lencodes[n-1];
} else if (c == 17) } else if (c == 17) {
c = stbi__zreceive(a,3)+3; c = stbi__zreceive(a,3)+3;
else { } else if (c == 18) {
STBI_ASSERT(c == 18);
c = stbi__zreceive(a,7)+11; c = stbi__zreceive(a,7)+11;
} else {
return stbi__err("bad codelengths", "Corrupt PNG");
} }
if (ntot - n < c) return stbi__err("bad codelengths", "Corrupt PNG"); if (ntot - n < c) return stbi__err("bad codelengths", "Corrupt PNG");
memset(lencodes+n, fill, c); memset(lencodes+n, fill, c);
@ -4231,7 +4280,7 @@ static int stbi__parse_uncompressed_block(stbi__zbuf *a)
a->code_buffer >>= 8; a->code_buffer >>= 8;
a->num_bits -= 8; a->num_bits -= 8;
} }
STBI_ASSERT(a->num_bits == 0); if (a->num_bits < 0) return stbi__err("zlib corrupt","Corrupt PNG");
// now fill header the normal way // now fill header the normal way
while (k < 4) while (k < 4)
header[k++] = stbi__zget8(a); header[k++] = stbi__zget8(a);
@ -4253,6 +4302,7 @@ static int stbi__parse_zlib_header(stbi__zbuf *a)
int cm = cmf & 15; int cm = cmf & 15;
/* int cinfo = cmf >> 4; */ /* int cinfo = cmf >> 4; */
int flg = stbi__zget8(a); int flg = stbi__zget8(a);
if (stbi__zeof(a)) return stbi__err("bad zlib header","Corrupt PNG"); // zlib spec
if ((cmf*256+flg) % 31 != 0) return stbi__err("bad zlib header","Corrupt PNG"); // zlib spec if ((cmf*256+flg) % 31 != 0) return stbi__err("bad zlib header","Corrupt PNG"); // zlib spec
if (flg & 32) return stbi__err("no preset dict","Corrupt PNG"); // preset dictionary not allowed in png if (flg & 32) return stbi__err("no preset dict","Corrupt PNG"); // preset dictionary not allowed in png
if (cm != 8) return stbi__err("bad compression","Corrupt PNG"); // DEFLATE required for png if (cm != 8) return stbi__err("bad compression","Corrupt PNG"); // DEFLATE required for png
@ -4514,7 +4564,7 @@ static int stbi__create_png_image_raw(stbi__png *a, stbi_uc *raw, stbi__uint32 r
return stbi__err("invalid filter","Corrupt PNG"); return stbi__err("invalid filter","Corrupt PNG");
if (depth < 8) { if (depth < 8) {
STBI_ASSERT(img_width_bytes <= x); if (img_width_bytes > x) return stbi__err("invalid width","Corrupt PNG");
cur += x*out_n - img_width_bytes; // store output to the rightmost img_len bytes, so we can decode in place cur += x*out_n - img_width_bytes; // store output to the rightmost img_len bytes, so we can decode in place
filter_bytes = 1; filter_bytes = 1;
width = img_width_bytes; width = img_width_bytes;
@ -4909,8 +4959,10 @@ static int stbi__parse_png_file(stbi__png *z, int scan, int req_comp)
if (!first) return stbi__err("multiple IHDR","Corrupt PNG"); if (!first) return stbi__err("multiple IHDR","Corrupt PNG");
first = 0; first = 0;
if (c.length != 13) return stbi__err("bad IHDR len","Corrupt PNG"); if (c.length != 13) return stbi__err("bad IHDR len","Corrupt PNG");
s->img_x = stbi__get32be(s); if (s->img_x > (1 << 24)) return stbi__err("too large","Very large image (corrupt?)"); s->img_x = stbi__get32be(s);
s->img_y = stbi__get32be(s); if (s->img_y > (1 << 24)) return stbi__err("too large","Very large image (corrupt?)"); s->img_y = stbi__get32be(s);
if (s->img_y > STBI_MAX_DIMENSIONS) return stbi__err("too large","Very large image (corrupt?)");
if (s->img_x > STBI_MAX_DIMENSIONS) return stbi__err("too large","Very large image (corrupt?)");
z->depth = stbi__get8(s); if (z->depth != 1 && z->depth != 2 && z->depth != 4 && z->depth != 8 && z->depth != 16) return stbi__err("1/2/4/8/16-bit only","PNG not supported: 1/2/4/8/16-bit only"); z->depth = stbi__get8(s); if (z->depth != 1 && z->depth != 2 && z->depth != 4 && z->depth != 8 && z->depth != 16) return stbi__err("1/2/4/8/16-bit only","PNG not supported: 1/2/4/8/16-bit only");
color = stbi__get8(s); if (color > 6) return stbi__err("bad ctype","Corrupt PNG"); color = stbi__get8(s); if (color > 6) return stbi__err("bad ctype","Corrupt PNG");
if (color == 3 && z->depth == 16) return stbi__err("bad ctype","Corrupt PNG"); if (color == 3 && z->depth == 16) return stbi__err("bad ctype","Corrupt PNG");
@ -5059,10 +5111,12 @@ static void *stbi__do_png(stbi__png *p, int *x, int *y, int *n, int req_comp, st
void *result=NULL; void *result=NULL;
if (req_comp < 0 || req_comp > 4) return stbi__errpuc("bad req_comp", "Internal error"); if (req_comp < 0 || req_comp > 4) return stbi__errpuc("bad req_comp", "Internal error");
if (stbi__parse_png_file(p, STBI__SCAN_load, req_comp)) { if (stbi__parse_png_file(p, STBI__SCAN_load, req_comp)) {
if (p->depth < 8) if (p->depth <= 8)
ri->bits_per_channel = 8; ri->bits_per_channel = 8;
else if (p->depth == 16)
ri->bits_per_channel = 16;
else else
ri->bits_per_channel = p->depth; return stbi__errpuc("bad bits_per_channel", "PNG not supported: unsupported color depth");
result = p->out; result = p->out;
p->out = NULL; p->out = NULL;
if (req_comp && req_comp != p->s->img_out_n) { if (req_comp && req_comp != p->s->img_out_n) {
@ -5223,6 +5277,8 @@ static void *stbi__bmp_parse_header(stbi__context *s, stbi__bmp_data *info)
info->mr = info->mg = info->mb = info->ma = 0; info->mr = info->mg = info->mb = info->ma = 0;
info->extra_read = 14; info->extra_read = 14;
if (info->offset < 0) return stbi__errpuc("bad BMP", "bad BMP");
if (hsz != 12 && hsz != 40 && hsz != 56 && hsz != 108 && hsz != 124) return stbi__errpuc("unknown BMP", "BMP type not supported: unknown"); if (hsz != 12 && hsz != 40 && hsz != 56 && hsz != 108 && hsz != 124) return stbi__errpuc("unknown BMP", "BMP type not supported: unknown");
if (hsz == 12) { if (hsz == 12) {
s->img_x = stbi__get16le(s); s->img_x = stbi__get16le(s);
@ -5314,6 +5370,9 @@ static void *stbi__bmp_load(stbi__context *s, int *x, int *y, int *comp, int req
flip_vertically = ((int) s->img_y) > 0; flip_vertically = ((int) s->img_y) > 0;
s->img_y = abs((int) s->img_y); s->img_y = abs((int) s->img_y);
if (s->img_y > STBI_MAX_DIMENSIONS) return stbi__errpuc("too large","Very large image (corrupt?)");
if (s->img_x > STBI_MAX_DIMENSIONS) return stbi__errpuc("too large","Very large image (corrupt?)");
mr = info.mr; mr = info.mr;
mg = info.mg; mg = info.mg;
mb = info.mb; mb = info.mb;
@ -5329,6 +5388,9 @@ static void *stbi__bmp_load(stbi__context *s, int *x, int *y, int *comp, int req
} }
if (psize == 0) { if (psize == 0) {
STBI_ASSERT(info.offset == s->callback_already_read + (int) (s->img_buffer - s->img_buffer_original)); STBI_ASSERT(info.offset == s->callback_already_read + (int) (s->img_buffer - s->img_buffer_original));
if (info.offset != s->callback_already_read + (s->img_buffer - s->buffer_start)) {
return stbi__errpuc("bad offset", "Corrupt BMP");
}
} }
if (info.bpp == 24 && ma == 0xff000000) if (info.bpp == 24 && ma == 0xff000000)
@ -5423,6 +5485,7 @@ static void *stbi__bmp_load(stbi__context *s, int *x, int *y, int *comp, int req
gshift = stbi__high_bit(mg)-7; gcount = stbi__bitcount(mg); gshift = stbi__high_bit(mg)-7; gcount = stbi__bitcount(mg);
bshift = stbi__high_bit(mb)-7; bcount = stbi__bitcount(mb); bshift = stbi__high_bit(mb)-7; bcount = stbi__bitcount(mb);
ashift = stbi__high_bit(ma)-7; acount = stbi__bitcount(ma); ashift = stbi__high_bit(ma)-7; acount = stbi__bitcount(ma);
if (rcount > 8 || gcount > 8 || bcount > 8 || acount > 8) { STBI_FREE(out); return stbi__errpuc("bad masks", "Corrupt BMP"); }
} }
for (j=0; j < (int) s->img_y; ++j) { for (j=0; j < (int) s->img_y; ++j) {
if (easy) { if (easy) {
@ -5647,6 +5710,9 @@ static void *stbi__tga_load(stbi__context *s, int *x, int *y, int *comp, int req
STBI_NOTUSED(tga_x_origin); // @TODO STBI_NOTUSED(tga_x_origin); // @TODO
STBI_NOTUSED(tga_y_origin); // @TODO STBI_NOTUSED(tga_y_origin); // @TODO
if (tga_height > STBI_MAX_DIMENSIONS) return stbi__errpuc("too large","Very large image (corrupt?)");
if (tga_width > STBI_MAX_DIMENSIONS) return stbi__errpuc("too large","Very large image (corrupt?)");
// do a tiny bit of precessing // do a tiny bit of precessing
if ( tga_image_type >= 8 ) if ( tga_image_type >= 8 )
{ {
@ -5686,6 +5752,11 @@ static void *stbi__tga_load(stbi__context *s, int *x, int *y, int *comp, int req
// do I need to load a palette? // do I need to load a palette?
if ( tga_indexed) if ( tga_indexed)
{ {
if (tga_palette_len == 0) { /* you have to have at least one entry! */
STBI_FREE(tga_data);
return stbi__errpuc("bad palette", "Corrupt TGA");
}
// any data to skip? (offset usually = 0) // any data to skip? (offset usually = 0)
stbi__skip(s, tga_palette_start ); stbi__skip(s, tga_palette_start );
// load the palette // load the palette
@ -5894,6 +5965,9 @@ static void *stbi__psd_load(stbi__context *s, int *x, int *y, int *comp, int req
h = stbi__get32be(s); h = stbi__get32be(s);
w = stbi__get32be(s); w = stbi__get32be(s);
if (h > STBI_MAX_DIMENSIONS) return stbi__errpuc("too large","Very large image (corrupt?)");
if (w > STBI_MAX_DIMENSIONS) return stbi__errpuc("too large","Very large image (corrupt?)");
// Make sure the depth is 8 bits. // Make sure the depth is 8 bits.
bitdepth = stbi__get16be(s); bitdepth = stbi__get16be(s);
if (bitdepth != 8 && bitdepth != 16) if (bitdepth != 8 && bitdepth != 16)
@ -6248,6 +6322,10 @@ static void *stbi__pic_load(stbi__context *s,int *px,int *py,int *comp,int req_c
x = stbi__get16be(s); x = stbi__get16be(s);
y = stbi__get16be(s); y = stbi__get16be(s);
if (y > STBI_MAX_DIMENSIONS) return stbi__errpuc("too large","Very large image (corrupt?)");
if (x > STBI_MAX_DIMENSIONS) return stbi__errpuc("too large","Very large image (corrupt?)");
if (stbi__at_eof(s)) return stbi__errpuc("bad file","file too short (pic header)"); if (stbi__at_eof(s)) return stbi__errpuc("bad file","file too short (pic header)");
if (!stbi__mad3sizes_valid(x, y, 4, 0)) return stbi__errpuc("too large", "PIC image too large to decode"); if (!stbi__mad3sizes_valid(x, y, 4, 0)) return stbi__errpuc("too large", "PIC image too large to decode");
@ -6356,6 +6434,9 @@ static int stbi__gif_header(stbi__context *s, stbi__gif *g, int *comp, int is_in
g->ratio = stbi__get8(s); g->ratio = stbi__get8(s);
g->transparent = -1; g->transparent = -1;
if (g->w > STBI_MAX_DIMENSIONS) return stbi__err("too large","Very large image (corrupt?)");
if (g->h > STBI_MAX_DIMENSIONS) return stbi__err("too large","Very large image (corrupt?)");
if (comp != 0) *comp = 4; // can't actually tell whether it's 3 or 4 until we parse the comments if (comp != 0) *comp = 4; // can't actually tell whether it's 3 or 4 until we parse the comments
if (is_info) return 1; if (is_info) return 1;
@ -6905,6 +6986,9 @@ static float *stbi__hdr_load(stbi__context *s, int *x, int *y, int *comp, int re
token += 3; token += 3;
width = (int) strtol(token, NULL, 10); width = (int) strtol(token, NULL, 10);
if (height > STBI_MAX_DIMENSIONS) return stbi__errpf("too large","Very large image (corrupt?)");
if (width > STBI_MAX_DIMENSIONS) return stbi__errpf("too large","Very large image (corrupt?)");
*x = width; *x = width;
*y = height; *y = height;
@ -7219,6 +7303,9 @@ static void *stbi__pnm_load(stbi__context *s, int *x, int *y, int *comp, int req
if (!stbi__pnm_info(s, (int *)&s->img_x, (int *)&s->img_y, (int *)&s->img_n)) if (!stbi__pnm_info(s, (int *)&s->img_x, (int *)&s->img_y, (int *)&s->img_n))
return 0; return 0;
if (s->img_y > STBI_MAX_DIMENSIONS) return stbi__errpuc("too large","Very large image (corrupt?)");
if (s->img_x > STBI_MAX_DIMENSIONS) return stbi__errpuc("too large","Very large image (corrupt?)");
*x = s->img_x; *x = s->img_x;
*y = s->img_y; *y = s->img_y;
if (comp) *comp = s->img_n; if (comp) *comp = s->img_n;