Description: Prevent integer overflow in ssgLoadTGA() function. CVE-2021-38714
Author: Anton Gladky <gladk@debian.org>
Bug-Debian: https://bugs.debian.org/992973
Last-Update: 2021-10-02

Index: plib/src/ssg/ssgLoadTGA.cxx
===================================================================
--- plib.orig/src/ssg/ssgLoadTGA.cxx
+++ plib/src/ssg/ssgLoadTGA.cxx
@@ -23,6 +23,7 @@
 
 
 #include "ssgLocal.h"
+#include <new>
 
 #ifdef SSG_LOAD_TGA_SUPPORTED
 
@@ -103,9 +104,9 @@ bool ssgLoadTGA ( const char *fname, ssg
 
     // image info
     int type = header[2];
-    int xsize = get16u(header + 12);
-    int ysize = get16u(header + 14);
-    int bits  = header[16];
+    unsigned int xsize = get16u(header + 12);
+    unsigned int ysize = get16u(header + 14);
+    unsigned int bits  = header[16];
 
     /* image types:
      *
@@ -169,9 +170,32 @@ bool ssgLoadTGA ( const char *fname, ssg
     }
 
 
+    const auto bytes_to_allocate = (bits / 8) * xsize * ysize;
+
+    ulSetError( UL_DEBUG, "bytes_to_allocate=%ld xsize = %ld, ysize = %ld, %ld == %ld ", bytes_to_allocate, xsize, ysize, bytes_to_allocate / xsize, (ysize * (bits / 8)));
+    
+    if (xsize != 0 && ((ysize * (bits / 8)) != bytes_to_allocate / xsize))
+    {
+    	ulSetError( UL_WARNING, "Integer overflow in image size: xsize = %d, ysize = %d", xsize, ysize);
+	    return false;
+    }
+    else
+    {
+        ulSetError( UL_DEBUG, "ssgLoadTGA: Allocating %ld bytes for the size %d x %d", bytes_to_allocate, xsize, ysize );
+    }
+
     // read image data
 
-    GLubyte *image = new GLubyte [ (bits / 8) * xsize * ysize ];
+    GLubyte *image;
+    try
+    {
+        image = new GLubyte [ bytes_to_allocate ];
+    }
+    catch (const std::bad_alloc&)
+    {
+        ulSetError( UL_WARNING, "ssgLoadTGA:  Allocation of %d bytes failed!", bytes_to_allocate);
+	    return false;
+    }
 
     if ((type & 8) != 0) 
     {