From 2cbb07d7adc2c4bcdabe5b3ecf651baff2d52ceb Mon Sep 17 00:00:00 2001 From: Campbell Barton Date: Fri, 11 Apr 2025 15:22:17 +1000 Subject: [PATCH] Fix: error reading RLE compressed Iris images Regression in [0] which used a 4x large size bounds check to prevent a buffer read overflow reading the RLE table. [0]: 829916f4e57a2d1580ff3b625f6bb909b9144a20 --- source/blender/imbuf/intern/format_iris.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/blender/imbuf/intern/format_iris.cc b/source/blender/imbuf/intern/format_iris.cc index 3cd63afe647..f55d474f916 100644 --- a/source/blender/imbuf/intern/format_iris.cc +++ b/source/blender/imbuf/intern/format_iris.cc @@ -293,7 +293,7 @@ ImBuf *imb_loadiris(const uchar *mem, size_t size, int flags, ImFileColorSpace & } \ ((void)0) - MFILE_CAPACITY_AT_PTR_OK_OR_FAIL(MFILE_DATA(inf) + ((4 * 2) * tablen)); + MFILE_CAPACITY_AT_PTR_OK_OR_FAIL(MFILE_DATA(inf) + (2 * tablen)); readtab(inf, starttab, tablen); readtab(inf, lengthtab, tablen);