diff --git a/src/imageformats/tga.cpp b/src/imageformats/tga.cpp --- a/src/imageformats/tga.cpp +++ b/src/imageformats/tga.cpp @@ -189,7 +189,7 @@ } uint pixel_size = (tga.pixel_size / 8); - uint size = tga.width * tga.height * pixel_size; + qint64 size = qint64(tga.width) * qint64(tga.height) * pixel_size; if (size < 1) { // qDebug() << "This TGA file is broken with size " << size; @@ -204,20 +204,34 @@ } // Allocate image. - uchar *const image = new uchar[size]; + uchar *const image = reinterpret_cast(malloc(size)); + if (!image) { + return false; + } + + bool valid = true; if (info.rle) { // Decode image. char *dst = (char *)image; - int num = size; + qint64 num = size; while (num > 0) { + if (s.atEnd()) { + valid = false; + break; + } + // Get packet header. uchar c; s >> c; uint count = (c & 0x7f) + 1; num -= count * pixel_size; + if (num < 0) { + valid = false; + break; + } if (c & 0x80) { // RLE pixels. @@ -240,6 +254,11 @@ s.readRawData((char *)image, size); } + if (!valid) { + free(image); + return false; + } + // Convert image to internal format. int y_start, y_step, y_end; if (tga.flags & TGA_ORIGIN_UPPER) { @@ -294,7 +313,7 @@ } // Free image. - delete [] image; + free(image); return true; } diff --git a/src/imageformats/xcf.cpp b/src/imageformats/xcf.cpp --- a/src/imageformats/xcf.cpp +++ b/src/imageformats/xcf.cpp @@ -495,11 +495,12 @@ quint32 ncolors; xcf_io >> ncolors; + size = 3 * ncolors + 4; + if (size > 65535 || size < 4) { return false; } - size = 3 * ncolors + 4; data = new char[size]; // since we already read "ncolors" from the stream, we put that data back