fix(targa): Protection against corrupt, mis-sized palette

* Check that the palette isn't senselessly bigger than the bpp calls
  for.
* Protection against integer overflow when addressing the palette.

Signed-off-by: Larry Gritz <lg@larrygritz.com>

Author: lgritz

src/targa.imageio/targainput.cpp

@@ -203,7 +203,6 @@ TGAInput::open(const std::string& name, ImageSpec& newspec)
         errorfmt("Palette image with no palette");
         return false;
     }
-
     if (is_palette()) {
         if (m_tga.type == TYPE_GRAY || m_tga.type == TYPE_GRAY_RLE) {
             // it should be an error for TYPE_RGB* as well, but apparently some
@@ -216,6 +215,12 @@ TGAInput::open(const std::string& name, ImageSpec& newspec)
             errorfmt("Illegal palette entry size: {} bits", m_tga.cmap_size);
             return false;
         }
+        if (m_tga.cmap_first + m_tga.cmap_length > (uint64_t(1) << m_tga.bpp)) {
+            errorfmt(
+                "Too big a color palette ({}) for {} bpp, assume corruption",
+                m_tga.cmap_first + m_tga.cmap_length, m_tga.bpp);
+            return false;
+        }
     }
 
     m_alpha_type = TGA_ALPHA_NONE;
@@ -572,14 +577,14 @@ TGAInput::decode_pixel(unsigned char* in, unsigned char* out,
                        unsigned char* palette, int bytespp, int palbytespp,
                        size_t palette_alloc_size)
 {
-    unsigned int k = 0;
+    uint64_t k = 0;
     // I hate nested switches...
     switch (m_tga.type) {
     case TYPE_PALETTED:
     case TYPE_PALETTED_RLE:
         for (int i = 0; i < bytespp; ++i)
             k |= in[i] << (8 * i);  // Assemble it in little endian order
-        k = (m_tga.cmap_first + k) * palbytespp;
+        k = (m_tga.cmap_first + k) * uint64_t(palbytespp);
         if (k + palbytespp > palette_alloc_size) {
             errorfmt("Corrupt palette index");
             return false;

testsuite/targa/ref/out.txt

@@ -201,14 +201,17 @@ Full command line was:
 oiiotool ERROR: read : "src/crash1707.tga": Invalid alpha type 138. Corrupted header?
 Full command line was:
 > oiiotool --oiioattrib try_all_readers 0 src/crash1707.tga -o crash1707.exr
-oiiotool ERROR: read : "src/crash1708.tga": Corrupt palette index
+oiiotool ERROR: read : "src/crash1708.tga": Too big a color palette (382) for 8 bpp, assume corruption
 Full command line was:
 > oiiotool --oiioattrib try_all_readers 0 src/crash1708.tga -o crash1708.exr
 oiiotool ERROR: read : "src/crash3952.tga": Uncompressed image size 15231.5 MB exceeds the 1024 MB limit.
 Image claimed to be 60927x65535, 4-channel uint8. Possible corrupt input?
 If this is a valid file, raise the OIIO attribute "limits:imagesize_MB".
 Full command line was:
 > oiiotool --oiioattrib limits:imagesize_MB 1024 --oiioattrib try_all_readers 0 src/crash3952.tga -o crash3952.exr
+oiiotool ERROR: read : "src/crash-20250423.tga": Corrupt palette index
+Full command line was:
+> oiiotool --oiioattrib try_all_readers 0 src/crash-20250423.tga -o out.null
 Reading src/1x1.tga
 src/1x1.tga          :    1 x    1, 3 channel, uint2 targa
     SHA-1: DB9237F28F9622F7B7E73B783A8822B63BDB3708

testsuite/targa/run.py

@@ -27,6 +27,7 @@
 command += oiiotool("--oiioattrib limits:imagesize_MB 1024 "
                     "--oiioattrib try_all_readers 0 "
                     "src/crash3952.tga -o crash3952.exr", failureok = True)
+command += oiiotool("--oiioattrib try_all_readers 0 src/crash-20250423.tga -o out.null", failureok=True);
 
 # Test odds and ends, unusual files
 command += rw_command("src", "1x1.tga")