Jaroslav Lobačevski
Jaroslav Lobačevski
`stbi__malloc` in [`stbi__convert_8_to_16`](https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_image.h#L1204-L1218) [1] may overflow. However for successful exploitation `img_len` must be bigger than zero [2]. Any big enough `img_len` multiplied by 2 and casted to `size_t` on a...
A crafted image file can trigger null pointer access in [`stbi__convert_format`](https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_image.h#L1786) where `src` is null. It happens when [`stbi__pic_load_core`](https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_image.h#L6528-L6531) in `stbi__pic_load` fails, the `result` is set to zero [1], but...
Fixes #1546
A crafted file may trigger out of bounds read in [`DECODE`](https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_vorbis.c#L3231) macro [when `var` is negative](https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_vorbis.c#L1754-L1756) [1] ```cpp #define DECODE(var,f,c) \ DECODE_RAW(var,f,c) \ if (c->sparse) var = c->sorted_values[var]; // [1]...
A crafted file may trigger memory write past an allocated heap buffer in [`start_decoder`](https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_vorbis.c#L3660-L3677) at [1]. The root cause is a potential integer overflow `sizeof(char*) * (f->comment_list_length)` at [2] which...
Call `stbi__vertical_flip_slices` only if the previous function didn't fail. Fixes #1550
If [`stbi__load_gif_main`](https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_image.h#L1448) in [`stbi_load_gif_from_memory`](https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_image.h#L1442-L1454) [1] fails it returns a null pointer and may keep the `z` variable uninitialized. In case the caller also sets the flip vertically flag [2], it...
Cast to `size_t` to avoid multiplication overflow. Fixes #1529