From da5f07f747dfc54500d697d8f0783e1b7ce13e22 Mon Sep 17 00:00:00 2001 From: Jorge Barredo Ferreira Date: Fri, 10 Apr 2026 11:16:01 +0200 Subject: [PATCH] Fix heap-buffer-overflow read in TARGA RLE loader When loading a malformed TGA file whose declared image dimensions exceed the actual remaining pixel data, the IOCache buffer size computed as (remaining_size / height) can be smaller than a single pixel. The RLE decoder then calls getBytes(file_pixel_size) and reads past the end of the undersized buffer. Ensure the cache size is at least file_pixel_size bytes so that every getBytes call reads within bounds. CWE-122 (Heap-based Buffer Overflow) Found during academic security research. --- Source/FreeImage/PluginTARGA.cpp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/Source/FreeImage/PluginTARGA.cpp b/Source/FreeImage/PluginTARGA.cpp index 0457994..db97187 100644 --- a/Source/FreeImage/PluginTARGA.cpp +++ b/Source/FreeImage/PluginTARGA.cpp @@ -593,7 +593,13 @@ loadRLE(FIBITMAP*& dib, int width, int height, FreeImageIO* io, fi_handle handle if (remaining_size < height) { throw FI_MSG_ERROR_CORRUPTED; } - const long sz = (remaining_size / height); + long sz = (remaining_size / height); + + // Ensure the cache is at least one pixel wide to prevent + // out-of-bounds reads when getBytes(file_pixel_size) is called. + if (sz < file_pixel_size) { + sz = file_pixel_size; + } // ...and allocate cache of this size (yields good results) IOCache cache(io, handle, sz);