fix(targa): Protection against corrupt, mis-sized palette (AcademySoftwareFoundation#5165)

lgritz · lgritz · commit 9d2bfacdce1b · 2026-04-26T12:47:59.000-07:00
* Check that the palette isn't senselessly bigger than the bpp calls
for.
* Protection against integer overflow when addressing the palette.
* Fix misunderstanding of the role of the palette "start" index. Pixel
values are absolute, not relative to the start index. The bug would have
produced incorrect images (or incorrectly reported image corruptions) if
we ever came across an tga file with a non-zero palette start index.

---------

Signed-off-by: Larry Gritz &lt;lg@larrygritz.com&gt;
diff --git a/src/targa.imageio/targa_pvt.h b/src/targa.imageio/targa_pvt.h
@@ -34,9 +34,9 @@ typedef struct {
     uint8_t idlen;         ///< image comment length
     uint8_t cmap_type;     ///< palette type
     uint8_t type;          ///< image type (see tga_image_type)
-    uint16_t cmap_first;   ///< offset to first entry
-    uint16_t cmap_length;  ///<
-    uint8_t cmap_size;     ///< palette size
+    uint16_t cmap_first;   ///< offset to first stored color entry
+    uint16_t cmap_length;  ///< number of stored color map entries
+    uint8_t cmap_size;     ///< bits per palette entry: 15, 16, 24, or 32
     uint16_t x_origin;     ///<
     uint16_t y_origin;     ///<
     uint16_t width;        ///< image width
diff --git a/src/targa.imageio/targainput.cpp b/src/targa.imageio/targainput.cpp
@@ -203,7 +203,6 @@ TGAInput::open(const std::string& name, ImageSpec& newspec)
         errorfmt("Palette image with no palette");
         return false;
     }
-
     if (is_palette()) {
         if (m_tga.type == TYPE_GRAY || m_tga.type == TYPE_GRAY_RLE) {
             // it should be an error for TYPE_RGB* as well, but apparently some
@@ -216,6 +215,12 @@ TGAInput::open(const std::string& name, ImageSpec& newspec)
             errorfmt("Illegal palette entry size: {} bits", m_tga.cmap_size);
             return false;
         }
+        if (m_tga.cmap_first + m_tga.cmap_length > (uint64_t(1) << m_tga.bpp)) {
+            errorfmt(
+                "Too big a color palette ({}) for {} bpp, assume corruption",
+                m_tga.cmap_first + m_tga.cmap_length, m_tga.bpp);
+            return false;
+        }
     }
 
     m_alpha_type = TGA_ALPHA_NONE;
@@ -577,18 +582,20 @@ TGAInput::decode_pixel(unsigned char* in, unsigned char* out,
                        unsigned char* palette, int bytespp, int palbytespp,
                        size_t palette_alloc_size)
 {
-    unsigned int k = 0;
+    uint64_t k = 0;
     // I hate nested switches...
     switch (m_tga.type) {
     case TYPE_PALETTED:
     case TYPE_PALETTED_RLE:
         for (int i = 0; i < bytespp; ++i)
             k |= in[i] << (8 * i);  // Assemble it in little endian order
-        k = (m_tga.cmap_first + k) * palbytespp;
-        if (k + palbytespp > palette_alloc_size) {
+        if (k < m_tga.cmap_first || k >= m_tga.cmap_first + m_tga.cmap_length) {
             errorfmt("Corrupt palette index");
             return false;
         }
+        // The palette indices stored in the file's pixels are absolute, so
+        // subtract the start offset to correctly index from the palette.
+        k = (k - m_tga.cmap_first) * uint64_t(palbytespp);
         switch (palbytespp) {
         case 2:
             // see the comment for 16bpp RGB below for an explanation of this
diff --git a/testsuite/targa/ref/out.txt b/testsuite/targa/ref/out.txt
@@ -201,14 +201,17 @@ Full command line was:
 oiiotool ERROR: read : "src/crash1707.tga": Invalid alpha type 138. Corrupted header?
 Full command line was:
 > oiiotool --oiioattrib try_all_readers 0 src/crash1707.tga -o crash1707.exr
-oiiotool ERROR: read : "src/crash1708.tga": Corrupt palette index
+oiiotool ERROR: read : "src/crash1708.tga": Too big a color palette (382) for 8 bpp, assume corruption
 Full command line was:
 > oiiotool --oiioattrib try_all_readers 0 src/crash1708.tga -o crash1708.exr
 oiiotool ERROR: read : "src/crash3952.tga": Uncompressed image size 15231.5 MB exceeds the 1024 MB limit.
 Image claimed to be 60927x65535, 4-channel uint8. Possible corrupt input?
 If this is a valid file, raise the OIIO attribute "limits:imagesize_MB".
 Full command line was:
 > oiiotool --oiioattrib limits:imagesize_MB 1024 --oiioattrib try_all_readers 0 src/crash3952.tga -o crash3952.exr
+oiiotool ERROR: read : "src/crash-20250423.tga": Corrupt palette index
+Full command line was:
+> oiiotool --oiioattrib try_all_readers 0 src/crash-20250423.tga -o out.null
 Reading src/1x1.tga
 src/1x1.tga          :    1 x    1, 3 channel, uint2 targa
     SHA-1: DB9237F28F9622F7B7E73B783A8822B63BDB3708
diff --git a/testsuite/targa/run.py b/testsuite/targa/run.py
@@ -27,6 +27,7 @@
 command += oiiotool("--oiioattrib limits:imagesize_MB 1024 "
                     "--oiioattrib try_all_readers 0 "
                     "src/crash3952.tga -o crash3952.exr", failureok = True)
+command += oiiotool("--oiioattrib try_all_readers 0 src/crash-20250423.tga -o out.null", failureok=True);
 
 # Test odds and ends, unusual files
 command += rw_command("src", "1x1.tga")
diff --git a/testsuite/targa/src/crash-20250423.tga b/testsuite/targa/src/crash-20250423.tga
