Fix integer overflow in the TGA loader (found with afl-fuzz).

divVerent · divVerent · commit 7acc018d112c · 2016-04-11T17:11:20.000Z
git-svn-id: svn://svn.icculus.org/twilight/trunk/dpvideo@12255 d7cf8633-e32d-0410-b094-e92efae38249
diff --git a/tgafile.c b/tgafile.c
@@ -1,4 +1,5 @@
 
+#include <limits.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
@@ -65,6 +66,12 @@ tgafile_t *loadtga(char *filename)
 	columns = targa.width;
 	rows = targa.height;
 
+	if (columns <= 0 || rows <= 0 || rows > (INT_MAX / 3) / columns) {
+		printf ("LoadTGA: %i by %i is an invalid image size\n", columns, rows);
+		free(data);
+		return NULL;
+	}
+
 	pixels = malloc(columns * rows * 3);
 	if (!pixels)
 	{
