From 07539e225de17bfa1c15533a6aa4918ede847fd9 Mon Sep 17 00:00:00 2001 From: Garey27 Date: Sun, 22 Mar 2020 20:16:45 +0500 Subject: [PATCH] Add extra checks to validate WAD3 MIP-Header. (#755) * Add extra checks to validate WAD3 MIP-Header. --- rehlds/engine/decals.cpp | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/rehlds/engine/decals.cpp b/rehlds/engine/decals.cpp index 7210f50..ff382ea 100644 --- a/rehlds/engine/decals.cpp +++ b/rehlds/engine/decals.cpp @@ -742,23 +742,40 @@ qboolean Draw_ValidateCustomLogo(cachewad_t *wad, unsigned char *data, lumpinfo_ tex.alternate_anims = NULL; tex.anim_next = NULL; + if (!tex.width || tex.width > 256 || tex.height > 256) + { + Con_Printf("%s: Bad wad dimensions %s\n", __func__, wad->name); + return FALSE; + } + for (int i = 0; i < MIPLEVELS; i++) tex.offsets[i] = wad->cacheExtra + LittleLong(tmp.offsets[i]); pix = tex.width * tex.height; pixoffset = pix + (pix >> 2) + (pix >> 4) + (pix >> 6); + +#ifdef REHLDS_FIXES + // Ensure that pixoffset won't be exceed the pre allocated buffer + // This can happen when there are no color palettes in payload + if ((pixoffset + sizeof(texture_t)) >= (unsigned)(wad->cacheExtra + lump->size)) + { + Con_Printf("%s: Bad wad payload size %s\n", __func__, wad->name); + return FALSE; + } +#endif + paloffset = (pix >> 2) + tmp.offsets[0] + pix; palettesize = (pix >> 4) + paloffset; - nPalleteCount = *(u_short *)(data + pixoffset + sizeof(texture_t)); - if (!tex.width || tex.width > 256 || tex.height > 256 - || (tmp.offsets[0] + pix != tmp.offsets[1]) - || paloffset != tmp.offsets[2] || palettesize != tmp.offsets[3]) + if ((tmp.offsets[0] + pix != tmp.offsets[1]) + || paloffset != tmp.offsets[2] + || palettesize != tmp.offsets[3]) { Con_Printf("%s: Bad cached wad %s\n", __func__, wad->name); return FALSE; } + nPalleteCount = *(u_short *)(data + pixoffset + sizeof(texture_t)); if (nPalleteCount > 256) { Con_Printf("%s: Bad cached wad palette size %i on %s\n", __func__, nPalleteCount, wad->name);