GNOME Bugzilla – Bug 604002
SGI: RLE encoded input data may write beyond allocated buffers
Last modified: 2009-12-09 16:23:21 UTC
Created attachment 149274 [details] [review] Proposed fix: ensure that RLE decoding doesn't access memory beyond allocated buffers The SGI file format allows data to be run-length encoded. When decoding such data and writing it to memory, the plugin doesn't ensure that it won't write beyond the end of allocated buffers.
Review of attachment 149274 [details] [review]: The fix looks good, although I absolutely dislike the additional visual clutter in the already crowded for-loop. What about using "count = MIN (ch & 127, xsize);" a few lines earlier and avoiding the new condition in the loop?
Created attachment 149441 [details] [review] Proposed fix: ensure that RLE decoding doesn't access memory beyond allocated buffers (amended) Rework the fix above as proposed by Simon.
Created attachment 149442 [details] SGI image file exhibiting the RLE decoding error
Review of attachment 149441 [details] [review]: committed: 4d9724f SGI: fix out of bounds writes