TheCloud/panda3d
1
0
Fork 0
mirror of https://github.com/panda3d/panda3d.git synced 2025-09-28 15:53:55 -04:00
Code Issues Packages Projects Releases Wiki Activity

Protect against overallocation when reading corrupt texture from bam

Browse Source
This commit is contained in:
rdb 2016-12-03 01:04:35 +01:00
parent 4a8f1839ea
commit 2b6e192e5a
1 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
panda/src/gobj/texture.cxx
View File

@ -8271,6 +8271,14 @@ do_fillin_body(CData *cdata, DatagramIterator &scan, BamReader *manager) {
cdata->_simple_image_date_generated = scan.get_int32();
size_t u_size = scan.get_uint32();
// Protect against large allocation.
if (u_size > scan.get_remaining_size()) {
gobj_cat.error()
<< "simple RAM image extends past end of datagram, is texture corrupt?\n";
return;
}
PTA_uchar image = PTA_uchar::empty_array(u_size, get_class_type());
scan.extract_bytes(image.p(), u_size);
@ -8327,6 +8335,14 @@ do_fillin_rawdata(CData *cdata, DatagramIterator &scan, BamReader *manager) {
// fill the cdata->_image buffer with image data
size_t u_size = scan.get_uint32();
// Protect against large allocation.
if (u_size > scan.get_remaining_size()) {
gobj_cat.error()
<< "RAM image " << n << " extends past end of datagram, is texture corrupt?\n";
return;
}
PTA_uchar image = PTA_uchar::empty_array(u_size, get_class_type());
scan.extract_bytes(image.p(), u_size);