Add extra checks to validate WAD3 MIP-Header. (#755)

* Add extra checks to validate WAD3 MIP-Header.
dreamstalker · Mar 22, 2020 · 07539e2 · 07539e2
1 parent c4cecf5
commit 07539e2
Showing 1 changed file with 21 additions and 4 deletions.
diff --git a/rehlds/engine/decals.cpp b/rehlds/engine/decals.cpp
@@ -742,23 +742,40 @@ qboolean Draw_ValidateCustomLogo(cachewad_t *wad, unsigned char *data, lumpinfo_
 	tex.alternate_anims = NULL;
 	tex.anim_next = NULL;
 
+	if (!tex.width || tex.width > 256 || tex.height > 256)
+	{
+		Con_Printf("%s: Bad wad dimensions %s\n", __func__, wad->name);
+		return FALSE;
+	}
+
 	for (int i = 0; i < MIPLEVELS; i++)
 		tex.offsets[i] = wad->cacheExtra + LittleLong(tmp.offsets[i]);
 
 	pix = tex.width * tex.height;
 	pixoffset = pix + (pix >> 2) + (pix >> 4) + (pix >> 6);
+
+#ifdef REHLDS_FIXES
+	// Ensure that pixoffset won't be exceed the pre allocated buffer
+	// This can happen when there are no color palettes in payload
+	if ((pixoffset + sizeof(texture_t)) >= (unsigned)(wad->cacheExtra + lump->size))
+	{
+		Con_Printf("%s: Bad wad payload size %s\n", __func__, wad->name);
+		return FALSE;
+	}
+#endif
+
 	paloffset = (pix >> 2) + tmp.offsets[0] + pix;
 	palettesize = (pix >> 4) + paloffset;
-	nPalleteCount = *(u_short *)(data + pixoffset + sizeof(texture_t));
 
-	if (!tex.width || tex.width > 256 || tex.height > 256
-		|| (tmp.offsets[0] + pix != tmp.offsets[1])
-		|| paloffset != tmp.offsets[2] || palettesize != tmp.offsets[3])
+	if ((tmp.offsets[0] + pix != tmp.offsets[1])
+		|| paloffset != tmp.offsets[2]
+		|| palettesize != tmp.offsets[3])
 	{
 		Con_Printf("%s: Bad cached wad %s\n", __func__, wad->name);
 		return FALSE;
 	}
 
+	nPalleteCount = *(u_short *)(data + pixoffset + sizeof(texture_t));
 	if (nPalleteCount > 256)
 	{
 		Con_Printf("%s: Bad cached wad palette size %i on %s\n", __func__, nPalleteCount, wad->name);