From 6c804082117c95c24b3d3af886319e8c21fcd8e0 Mon Sep 17 00:00:00 2001
From: Jorge Barredo Ferreira <[EMAIL REDACTED]>
Date: Mon, 6 Apr 2026 19:31:36 +0200
Subject: [PATCH] Fix heap-buffer-overflow READ in XCF RLE decoder (CWE-122)
Add destination pointer bounds check in load_xcf_tile_rle.
---
src/IMG_xcf.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/src/IMG_xcf.c b/src/IMG_xcf.c
index a2db70dc..f67817a0 100644
--- a/src/IMG_xcf.c
+++ b/src/IMG_xcf.c
@@ -631,6 +631,11 @@ static unsigned char *load_xcf_tile_rle(SDL_IOStream *src, size_t len, int bpp,
}
data = (unsigned char *)SDL_calloc(1, x*y*bpp);
+ if (!data) {
+ SDL_free(load);
+ return NULL;
+ }
+ unsigned char *data_end = data + x*y*bpp;
for (i = 0; i < bpp; i++) {
d = data + i;
size = x*y;
@@ -655,6 +660,9 @@ static unsigned char *load_xcf_tile_rle(SDL_IOStream *src, size_t len, int bpp,
size -= length;
while (length-- > 0) {
+ if (d >= data_end) {
+ break;
+ }
*d = *t++;
d += bpp;
}
@@ -676,6 +684,9 @@ static unsigned char *load_xcf_tile_rle(SDL_IOStream *src, size_t len, int bpp,
val = *t++;
for (j = 0; j < length; j++) {
+ if (d >= data_end) {
+ break;
+ }
*d = val;
d += bpp;
}