Add buffer size check to Image.load_tga_from_buffer(). Fixes godoteng…

…ine#67985 (cherry picked from commit 5cb0748)
Riordan-DC · Jan 23, 2023 · 9960f78 · 9960f78
1 parent 7157e95
commit 9960f78
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/modules/tga/image_loader_tga.cpp b/modules/tga/image_loader_tga.cpp
@@ -265,14 +265,21 @@ Error ImageLoaderTGA::load_image(Ref<Image> p_image, FileAccess *f, bool p_force
 		err = FAILED;
 	}
 
+	uint64_t color_map_size;
 	if (has_color_map) {
 		if (tga_header.color_map_length > 256 || (tga_header.color_map_depth != 24) || tga_header.color_map_type != 1) {
 			err = FAILED;
 		}
+		color_map_size = tga_header.color_map_length * (tga_header.color_map_depth >> 3);
 	} else {
 		if (tga_header.color_map_type) {
 			err = FAILED;
 		}
+		color_map_size = 0;
+	}
+
+	if ((src_image_len - f->get_position()) < (tga_header.id_length + color_map_size)) {
+		err = FAILED; // TGA data appears to be truncated (fewer bytes than expected).
 	}
 
 	if (tga_header.image_width <= 0 || tga_header.image_height <= 0) {
@@ -289,7 +296,6 @@ Error ImageLoaderTGA::load_image(Ref<Image> p_image, FileAccess *f, bool p_force
 		PoolVector<uint8_t> palette;
 
 		if (has_color_map) {
-			size_t color_map_size = tga_header.color_map_length * (tga_header.color_map_depth >> 3);
 			err = palette.resize(color_map_size);
 			if (err == OK) {
 				PoolVector<uint8_t>::Write palette_w = palette.write();