From d6a758cca20f3fa451a684ae4e5152a35e752dd9 Mon Sep 17 00:00:00 2001
From: Ozkan Sezer <[EMAIL REDACTED]>
Date: Sat, 17 Jul 2021 01:32:00 +0300
Subject: [PATCH] Fix out-of-bounds read in PCX loader.
Closes: https://github.com/libsdl-org/SDL_image/issues/164
---
IMG_pcx.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/IMG_pcx.c b/IMG_pcx.c
index 055978b..2d8264b 100644
--- a/IMG_pcx.c
+++ b/IMG_pcx.c
@@ -220,12 +220,14 @@ SDL_Surface *IMG_LoadPCX_RW(SDL_RWops *src)
} else if ( src_bits == 24 ) {
/* de-interlace planes */
Uint8 *innerSrc = buf;
+ Uint8 *end1 = buf+bpl;
int plane;
for ( plane = 0; plane < pcxh.NPlanes; plane++ ) {
int x;
Uint8 *dst = row + plane;
+ Uint8 *end2= row + surface->pitch;
for ( x = 0; x < width; x++ ) {
- if ( dst >= row+surface->pitch ) {
+ if ( innerSrc >= end1 || dst >= end2 ) {
error = "decoding out of bounds (corrupt?)";
goto done;
}