Guard PC resource buffer accesses against truncated DAT files by segrax · Pull Request #118 · OpenFodder/openfodder

segrax · 2026-05-24T02:13:30Z

Fix out-of-bounds reads and writes triggered when resource DAT files are undersized because file-backed std::vector<uint8> buffers replace legacy fixed-size buffers while code still reads/writes fixed offsets.

Add a bounds check to sImage::LoadPalette so it returns early if pFrom + (pCount * 3) would exceed the backing buffer size, preventing palette reads past the end of the file buffer.
Cap the recruit hill-sprite clear loop to min(0xA000, mImageHillSprites.mData->size()) so writes do not overflow when hill.dat is truncated.
Changes are minimal and localized to the vulnerable PC graphics paths in Source/Graphics.hpp and Source/PC/Graphics_PC.cpp and preserve behavior for correctly-sized original assets.

Ran repository sanity and inspection commands (git diff, nl -ba excerpts) to verify the patch is applied and the modified lines appear as expected, and git commit succeeded for the change.
Created the PR metadata with make_pr to record the change.
An earlier automated ASan build attempt (during vulnerability validation) revealed the issue but could not be re-run post-patch because the environment lacks SDL2 development headers (sdl2-config / SDL.h), so full ASan verification could not be completed in this container.

Guard PC image palette and hill buffer accesses

d119270

segrax added codex aardvark labels May 24, 2026 — with ChatGPT Codex Connector

segrax merged commit 52b654c into master May 24, 2026
6 checks passed

segrax deleted the codex/propose-fix-for-vulnerability-in-asset-loading branch May 24, 2026 02:35

Provide feedback