reHLDS/rehlds
2
0
Fork 0
mirror of https://github.com/rehlds/rehlds.git synced 2025-01-01 01:25:38 +03:00
Code Issues Projects Releases Wiki Activity

Add extra checks to validate WAD3 MIP-Header. (#755)

Browse Source 
* Add extra checks to validate WAD3 MIP-Header.
This commit is contained in:
Garey27 2020-03-22 20:16:45 +05:00 committed by GitHub
parent c4cecf5f12
commit 07539e225d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 21 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
rehlds/engine/decals.cpp
View File

@ -742,23 +742,40 @@ qboolean Draw_ValidateCustomLogo(cachewad_t *wad, unsigned char *data, lumpinfo_
tex.alternate_anims = NULL; tex.alternate_anims = NULL;
tex.anim_next = NULL; tex.anim_next = NULL;
if (!tex.width || tex.width > 256 || tex.height > 256)
{
Con_Printf("%s: Bad wad dimensions %s\n", __func__, wad->name);
return FALSE;
}
for (int i = 0; i < MIPLEVELS; i++) for (int i = 0; i < MIPLEVELS; i++)
tex.offsets[i] = wad->cacheExtra + LittleLong(tmp.offsets[i]); tex.offsets[i] = wad->cacheExtra + LittleLong(tmp.offsets[i]);
pix = tex.width * tex.height; pix = tex.width * tex.height;
pixoffset = pix + (pix >> 2) + (pix >> 4) + (pix >> 6); pixoffset = pix + (pix >> 2) + (pix >> 4) + (pix >> 6);
#ifdef REHLDS_FIXES
// Ensure that pixoffset won't be exceed the pre allocated buffer
// This can happen when there are no color palettes in payload
if ((pixoffset + sizeof(texture_t)) >= (unsigned)(wad->cacheExtra + lump->size))
{
Con_Printf("%s: Bad wad payload size %s\n", __func__, wad->name);
return FALSE;
}
#endif
paloffset = (pix >> 2) + tmp.offsets[0] + pix; paloffset = (pix >> 2) + tmp.offsets[0] + pix;
palettesize = (pix >> 4) + paloffset; palettesize = (pix >> 4) + paloffset;
nPalleteCount = *(u_short *)(data + pixoffset + sizeof(texture_t));
if (!tex.width || tex.width > 256 || tex.height > 256 if ((tmp.offsets[0] + pix != tmp.offsets[1])
|| (tmp.offsets[0] + pix != tmp.offsets[1]) || paloffset != tmp.offsets[2]
|| paloffset != tmp.offsets[2] || palettesize != tmp.offsets[3]) || palettesize != tmp.offsets[3])
{ {
Con_Printf("%s: Bad cached wad %s\n", __func__, wad->name); Con_Printf("%s: Bad cached wad %s\n", __func__, wad->name);
return FALSE; return FALSE;
} }
nPalleteCount = *(u_short *)(data + pixoffset + sizeof(texture_t));
if (nPalleteCount > 256) if (nPalleteCount > 256)
{ {
Con_Printf("%s: Bad cached wad palette size %i on %s\n", __func__, nPalleteCount, wad->name); Con_Printf("%s: Bad cached wad palette size %i on %s\n", __func__, nPalleteCount, wad->name);