mirror of
https://github.com/ZDoom/Raze.git
synced 2025-01-18 06:32:37 +00:00
Patch up access of malloc'd buffer one byte beyond its size in kplib's
JPEG decoder (unearthed by valgrind). git-svn-id: https://svn.eduke32.com/eduke32@2231 1a8010ca-5511-0410-912e-c29ae57300e0
This commit is contained in:
parent
f87c0db3ce
commit
76d210c4b8
1 changed files with 3 additions and 2 deletions
|
@ -1658,7 +1658,7 @@ static int32_t kpegrend(const char *kfilebuf, int32_t kfilength,
|
||||||
{
|
{
|
||||||
while (curbits < 16) //Getbits
|
while (curbits < 16) //Getbits
|
||||||
{
|
{
|
||||||
ch = *kfileptr++;
|
ch = *kfileptr++; // BUF_LENG_READ
|
||||||
if (ch == 255) kfileptr++;
|
if (ch == 255) kfileptr++;
|
||||||
num = (num<<8)+((int32_t)ch); curbits += 8;
|
num = (num<<8)+((int32_t)ch); curbits += 8;
|
||||||
}
|
}
|
||||||
|
@ -3294,7 +3294,8 @@ void kpzload(const char *filnam, intptr_t *pic, int32_t *bpl, int32_t *xsiz, int
|
||||||
(*pic) = 0;
|
(*pic) = 0;
|
||||||
if (handle < 0) return;
|
if (handle < 0) return;
|
||||||
leng = kfilelength(handle);
|
leng = kfilelength(handle);
|
||||||
buf = (char *)Bmalloc(leng); if (!buf) return;
|
buf = (char *)Bmalloc(leng+1); if (!buf) return;
|
||||||
|
buf[leng]=0; // FIXME: buf[leng] read in kpegrend(), see BUF_LENG_READ
|
||||||
kread(handle,buf,leng);
|
kread(handle,buf,leng);
|
||||||
kclose(handle);
|
kclose(handle);
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue