Fix Amiga2 palette bounds handling by segrax · Pull Request #120 · OpenFodder/openfodder

segrax · 2026-05-24T02:13:41Z

The Amiga2 palette parser and loader could read past the end of .PAL buffers and write past the fixed 256-entry mPalette array, enabling local asset-triggered memory corruption.
The new CF2 Amiga path exposed this by parsing .PAL as 3-byte triplets while callers passed byte counts to the loader and some calls start at high palette indices (e.g. 0xE0).

Hardened cGraphics_Amiga2::GetPalette() to only consume complete 3-byte RGB triplets by iterating with for (; a0 + 2 < a0End; a0 += 3) and using a0[0], a0[1], a0[2] for conversion to avoid out-of-bounds reads. (file: Source/Amiga/Graphics_Amiga2.cpp)
Ensured palette conversion pushes the intended two output bytes per color while using a bounds-safe source loop. (file: Source/Amiga/Graphics_Amiga2.cpp)
Clamped sImage::LoadPalette_Amiga() to the valid mPalette range by early-returning if pStartColorID >= 256 and using std::min(pCount, 256 - pStartColorID) for the loop count to prevent out-of-bounds writes. (file: Source/Graphics.hpp)

Inspected changed files with rg and sed to verify modifications, and the checks succeeded.
Verified the resulting diff with git diff -- Source/Amiga/Graphics_Amiga2.cpp Source/Graphics.hpp and it showed the intended changes.
Committed the changes with git add / git commit and created the PR metadata via make_pr, and all commands completed successfully.

Fix Amiga2 palette bounds handling

da56ab0

segrax added aardvark codex labels May 24, 2026 — with ChatGPT Codex Connector

segrax merged commit 6767235 into master May 24, 2026
4 of 6 checks passed

segrax deleted the codex/fix-amiga2-palette-loading-vulnerability branch May 24, 2026 02:35

Provide feedback