From 2c9d2d84b000a6a6892fefbd6effaf3452a4609d Mon Sep 17 00:00:00 2001
From: Jorge Barredo Ferreira <[EMAIL REDACTED]>
Date: Mon, 6 Apr 2026 19:31:36 +0200
Subject: [PATCH] Fix heap-buffer-overflow READ in XCF RLE decoder (CWE-122)
Add destination pointer bounds check in load_xcf_tile_rle.
(cherry picked from commit 6c804082117c95c24b3d3af886319e8c21fcd8e0)
---
src/IMG_xcf.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/src/IMG_xcf.c b/src/IMG_xcf.c
index 7c6d0562..57679f8f 100644
--- a/src/IMG_xcf.c
+++ b/src/IMG_xcf.c
@@ -638,6 +638,11 @@ static unsigned char *load_xcf_tile_rle(SDL_IOStream *src, size_t len, int bpp,
}
data = (unsigned char *)SDL_calloc(1, x*y*bpp);
+ if (!data) {
+ SDL_free(load);
+ return NULL;
+ }
+ unsigned char *data_end = data + x*y*bpp;
for (i = 0; i < bpp; i++) {
d = data + i;
size = x*y;
@@ -662,6 +667,9 @@ static unsigned char *load_xcf_tile_rle(SDL_IOStream *src, size_t len, int bpp,
size -= length;
while (length-- > 0) {
+ if (d >= data_end) {
+ break;
+ }
*d = *t++;
d += bpp;
}
@@ -683,6 +691,9 @@ static unsigned char *load_xcf_tile_rle(SDL_IOStream *src, size_t len, int bpp,
val = *t++;
for (j = 0; j < length; j++) {
+ if (d >= data_end) {
+ break;
+ }
*d = val;
d += bpp;
}