Fix T46534: Crash loading corrupt HDR's
authorCampbell Barton <ideasman42@gmail.com>
Mon, 19 Oct 2015 15:05:52 +0000 (02:05 +1100)
committerCampbell Barton <ideasman42@gmail.com>
Mon, 19 Oct 2015 15:13:14 +0000 (02:13 +1100)
source/blender/imbuf/intern/radiance_hdr.c

index 5bb438f5dbe87bab2434ffe6a8923e4d3159c91f..71e74928e205fdc406f936f437962c4a17300d5c 100644 (file)
@@ -137,6 +137,9 @@ static const unsigned char *freadcolrs(RGBE *scan, const unsigned char *mem, int
                        code = *mem++;
                        if (code > 128) {
                                code &= 127;
+                               if (UNLIKELY(code + j > xmax)) {
+                                       return NULL;
+                               }
                                val = *mem++;
                                while (code--) {
                                        scan[j++][i] = (unsigned char)val;
@@ -146,6 +149,9 @@ static const unsigned char *freadcolrs(RGBE *scan, const unsigned char *mem, int
                                if (UNLIKELY(mem_eof - mem < code)) {
                                        return NULL;
                                }
+                               if (UNLIKELY(code + j > xmax)) {
+                                       return NULL;
+                               }
                                while (code--) {
                                        scan[j++][i] = *mem++;
                                }