From 9b001987e98d8ee0d5e29421ac78560c0396b3ed Mon Sep 17 00:00:00 2001
From: Alibek Omarov <a1ba.omarov@gmail.com>
Date: Mon, 5 Dec 2022 05:39:41 +0300
Subject: [PATCH] engine: imagelib: fix crash when chunk length is more than
 file size

---
 engine/common/imagelib/img_png.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/engine/common/imagelib/img_png.c b/engine/common/imagelib/img_png.c
index 95addfe8..ac013988 100644
--- a/engine/common/imagelib/img_png.c
+++ b/engine/common/imagelib/img_png.c
@@ -161,7 +161,14 @@ qboolean Image_LoadPNG( const char *name, const byte *buffer, fs_offset_t filesi
 		if( chunk_len > INT_MAX )
 		{
 			Con_DPrintf( S_ERROR "Image_LoadPNG: Found chunk with wrong size (%s)\n", name );
-			Mem_Free( idat_buf );
+			if( idat_buf ) Mem_Free( idat_buf );
+			return false;
+		}
+
+		if( chunk_len > filesize - ( buf_p - buffer ))
+		{
+			Con_DPrintf( S_ERROR "Image_LoadPNG: Found chunk with size past file size (%s)\n", name );
+			if( idat_buf ) Mem_Free( idat_buf );
 			return false;
 		}