Home Explore Help
Sign In
c
/
stb
mirror of https://github.com/nothings/stb.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Check for some obviously bad inputs from corrupt/malicious data.

These all caused crashes during fuzzing.
Ryan C. Gordon 5 years ago
parent
385b5d3cda
commit
b5d2296d5d
1 changed files with 13 additions and 3 deletions
Split View Show Diff Stats
  1. 13 3
      stb_image.h

+ 13 - 3
stb_image.h
View File 

@@ -4072,7 +4072,7 @@ static int stbi__zhuffman_decode_slowpath(stbi__zbuf *a, stbi__zhuffman *z)
 
    for (s=STBI__ZFAST_BITS+1; ; ++s)
 
       if (k < z->maxcode[s])
 
          break;
 
-   if (s == 16) return -1; // invalid code!
 
+   if (s >= 16) return -1; // invalid code!
 
    // code size is s, so:
 
    b = (k >> (16-s)) - z->firstcode[s] + z->firstsymbol[s];
 
    STBI_ASSERT(z->size[b] == s);
 
@@ -5060,10 +5060,12 @@ static void *stbi__do_png(stbi__png *p, int *x, int *y, int *n, int req_comp, st
 
    void *result=NULL;
 
    if (req_comp < 0 || req_comp > 4) return stbi__errpuc("bad req_comp", "Internal error");
 
    if (stbi__parse_png_file(p, STBI__SCAN_load, req_comp)) {
 
-      if (p->depth < 8)
 
+      if (p->depth <= 8)
 
          ri->bits_per_channel = 8;
 
+      else if (p->depth == 16)
 
+         ri->bits_per_channel = 16;
 
       else
 
-         ri->bits_per_channel = p->depth;
 
+         return stbi__errpuc("bad bits_per_channel", "PNG not supported: unsupported color depth");
 
       result = p->out;
 
       p->out = NULL;
 
       if (req_comp && req_comp != p->s->img_out_n) {
 
@@ -5224,6 +5226,8 @@ static void *stbi__bmp_parse_header(stbi__context *s, stbi__bmp_data *info)
 
    info->mr = info->mg = info->mb = info->ma = 0;
 
    info->extra_read = 14;
 
 
+   if (info->offset < 0) return stbi__errpuc("bad BMP", "bad BMP");
 
+
 
    if (hsz != 12 && hsz != 40 && hsz != 56 && hsz != 108 && hsz != 124) return stbi__errpuc("unknown BMP", "BMP type not supported: unknown");
 
    if (hsz == 12) {
 
       s->img_x = stbi__get16le(s);
 
@@ -5424,6 +5428,7 @@ static void *stbi__bmp_load(stbi__context *s, int *x, int *y, int *comp, int req
 
          gshift = stbi__high_bit(mg)-7; gcount = stbi__bitcount(mg);
 
          bshift = stbi__high_bit(mb)-7; bcount = stbi__bitcount(mb);
 
          ashift = stbi__high_bit(ma)-7; acount = stbi__bitcount(ma);
 
+         if (rcount > 8 || gcount > 8 || bcount > 8 || acount > 8) { STBI_FREE(out); return stbi__errpuc("bad masks", "Corrupt BMP"); }
 
       }
 
       for (j=0; j < (int) s->img_y; ++j) {
 
          if (easy) {
 
@@ -5687,6 +5692,11 @@ static void *stbi__tga_load(stbi__context *s, int *x, int *y, int *comp, int req
 
       //   do I need to load a palette?
 
       if ( tga_indexed)
 
       {
 
+         if (tga_palette_len == 0) {  /* you have to have at least one entry! */
 
+            STBI_FREE(tga_data);
 
+            return stbi__errpuc("bad palette", "Corrupt TGA");
 
+         }
 
+
 
          //   any data to skip? (offset usually = 0)
 
          stbi__skip(s, tga_palette_start );
 
          //   load the palette