Fix heap-buffer-overflow read in TARGA RLE loader#39
Open
JorgeBarredo14 wants to merge 1 commit intodanoli3:masterfrom
Open
Fix heap-buffer-overflow read in TARGA RLE loader#39JorgeBarredo14 wants to merge 1 commit intodanoli3:masterfrom
JorgeBarredo14 wants to merge 1 commit intodanoli3:masterfrom
Conversation
When loading a malformed TGA file whose declared image dimensions exceed the actual remaining pixel data, the IOCache buffer size computed as (remaining_size / height) can be smaller than a single pixel. The RLE decoder then calls getBytes(file_pixel_size) and reads past the end of the undersized buffer. Ensure the cache size is at least file_pixel_size bytes so that every getBytes call reads within bounds. CWE-122 (Heap-based Buffer Overflow) Found during academic security research.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When loading a malformed TGA file whose declared image dimensions exceed the actual remaining pixel data, the
IOCachebuffer size computed as(remaining_size / height)can be smaller than a single pixel. The RLE decoder then callsgetBytes(file_pixel_size)and reads past the end of the undersized buffer.Root cause
PluginTARGA.cppline 596:const long sz = (remaining_size / height);— ifremaining_sizeis small relative toheight,szcan be less thanfile_pixel_size(e.g. 1 byte for a 24-bpp image that needs 3 bytes per pixel).Fix
Clamp the cache size to at least
file_pixel_sizeso that everygetBytescall reads within bounds.Metadata
_assignPixel<24>atPluginTARGA.cpp:547, called fromloadRLE<24>at line 651