From 5ed53b347459ccc71dc52a05e09ac16294523b57 Mon Sep 17 00:00:00 2001 From: Jelle Raaijmakers Date: Sun, 15 Jan 2023 18:35:56 +0100 Subject: [PATCH] LibGfx: Prevent reading OOB in TGA header decode --- Userland/Libraries/LibGfx/TGALoader.cpp | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/Userland/Libraries/LibGfx/TGALoader.cpp b/Userland/Libraries/LibGfx/TGALoader.cpp index 71cea324a67..4f253fb9d3d 100644 --- a/Userland/Libraries/LibGfx/TGALoader.cpp +++ b/Userland/Libraries/LibGfx/TGALoader.cpp @@ -151,8 +151,6 @@ private: struct TGALoadingContext { TGAHeader header; - ReadonlyBytes bytes; - size_t file_size; OwnPtr reader = { nullptr }; RefPtr bitmap; }; @@ -160,9 +158,7 @@ struct TGALoadingContext { TGAImageDecoderPlugin::TGAImageDecoderPlugin(u8 const* file_data, size_t file_size) { m_context = make(); - m_context->bytes = ReadonlyBytes(file_data, file_size); - m_context->file_size = move(file_size); - m_context->reader = make(m_context->bytes); + m_context->reader = make(ReadonlyBytes { file_data, file_size }); } TGAImageDecoderPlugin::~TGAImageDecoderPlugin() = default; @@ -188,6 +184,9 @@ bool TGAImageDecoderPlugin::set_nonvolatile(bool& was_purged) bool TGAImageDecoderPlugin::decode_tga_header() { auto& reader = m_context->reader; + if (reader->data().size() < sizeof(TGAHeader)) + return false; + m_context->header = TGAHeader(); m_context->header.id_length = reader->read_u8(); m_context->header.color_map_type = reader->read_u8();