oss/luanti
oss/luanti
1
0
Fork 0
mirror of https://github.com/luanti-org/luanti.git synced 2025-06-27 16:36:03 +00:00
Code Wiki Activity

ImageSource: restrict max dimensions to protect from integer overflows (#15965)

Browse source
This commit is contained in:
sfan5 2025-04-01 19:12:37 +02:00 committed by GitHub
parent 0179021acc
commit 47c75b3294
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 19 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

21
src/client/imagesource.cpp
View file

@ -949,9 +949,10 @@ static void imageTransform(u32 transform, video::IImage *src, video::IImage *dst
#define CHECK_DIM(w, h) \
do { \
if ((w) <= 0 || (h) <= 0 || (w) >= 0xffff || (h) >= 0xffff) { \
COMPLAIN_INVALID("width or height"); \
} \
if ((w) <= 0 || (w) > MAX_IMAGE_DIMENSION) \
COMPLAIN_INVALID("width"); \
if ((h) <= 0 || (h) > MAX_IMAGE_DIMENSION) \
COMPLAIN_INVALID("height"); \
} while(0)
bool ImageSource::generateImagePart(std::string_view part_of_name,
@ -1350,6 +1351,8 @@ bool ImageSource::generateImagePart(std::string_view part_of_name,
v2u32 frame_size = baseimg->getDimension();
frame_size.Y /= frame_count;
if (frame_size.Y == 0)
frame_size.Y = 1;
video::IImage *img = driver->createImage(video::ECF_A8R8G8B8,
frame_size);
@ -1498,11 +1501,13 @@ bool ImageSource::generateImagePart(std::string_view part_of_name,
u32 w = scale * dim.Width;
u32 h = scale * dim.Height;
const core::dimension2d<u32> newdim(w, h);
video::IImage *newimg = driver->createImage(
baseimg->getColorFormat(), newdim);
baseimg->copyToScaling(newimg);
baseimg->drop();
baseimg = newimg;
if (w <= MAX_IMAGE_DIMENSION && h <= MAX_IMAGE_DIMENSION) {
video::IImage *newimg = driver->createImage(
baseimg->getColorFormat(), newdim);
baseimg->copyToScaling(newimg);
baseimg->drop();
baseimg = newimg;
}
}
}
}

6
src/client/imagesource.h
View file

@ -45,6 +45,12 @@ struct ImageSource {
// Insert a source image into the cache without touching the filesystem.
void insertSourceImage(const std::string &name, video::IImage *img, bool prefer_local);
// This was picked so that the image buffer size fits in an s32 (assuming 32bpp).
// The exact value is 23170 but this provides some leeway.
// In theory something like 33333x123 could be allowed, but there is no strong
// need or argument. Irrlicht also has the same limit.
static constexpr int MAX_IMAGE_DIMENSION = 23000;
private:
// Generate image based on a string like "stone.png" or "[crack:1:0".