1 files changed, 25 insertions, 1 deletions

diff --git a/thirdparty/libktx/lib/hashlist.c b/thirdparty/libktx/lib/hashlist.c
index 0ca89fc561..acfe41e5fc 100644
--- a/thirdparty/libktx/lib/hashlist.c
+++ b/thirdparty/libktx/lib/hashlist.c
@@ -525,14 +525,38 @@ ktxHashList_Deserialize(ktxHashList* pHead, unsigned int kvdLen, void* pKvd)
 
     result = KTX_SUCCESS;
     while (result == KTX_SUCCESS && src < (char *)pKvd + kvdLen) {
+        if (src + 6 > (char *)pKvd + kvdLen) {
+            // Not enough space for another entry
+            return KTX_FILE_DATA_ERROR;
+        }
+
         char* key;
         unsigned int keyLen, valueLen;
         void* value;
         ktx_uint32_t keyAndValueByteSize = *((ktx_uint32_t*)src);
 
+        if (src + 4 + keyAndValueByteSize > (char *)pKvd + kvdLen) {
+            // Not enough space for this entry
+            return KTX_FILE_DATA_ERROR;
+        }
+
         src += sizeof(keyAndValueByteSize);
         key = src;
-        keyLen = (unsigned int)strlen(key) + 1;
+        keyLen = 0;
+
+        while (keyLen < keyAndValueByteSize && key[keyLen] != '\0') keyLen++;
+
+        if (key[keyLen] != '\0') {
+            // Missing NULL terminator
+            return KTX_FILE_DATA_ERROR;
+        }
+
+        if (keyLen >= 3 && key[0] == '\xEF' && key[1] == '\xBB' && key[2] == '\xBF') {
+            // Forbidden BOM
+            return KTX_FILE_DATA_ERROR;
+        }
+
+        keyLen += 1;
         value = key + keyLen;
 
         valueLen = keyAndValueByteSize - keyLen;