From 61a2d8a2a7b03023e63eae9a3e64607aaaa6d339 Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Sat, 18 Jun 2011 14:51:09 -0500 Subject: [PATCH] [master] Check for sCAL chunk too short. --- ANNOUNCE | 3 ++- CHANGES | 3 ++- pngrutil.c | 8 ++++++++ 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/ANNOUNCE b/ANNOUNCE index 72860edf2..bd4697d1d 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -49,7 +49,8 @@ version 1.4.8beta04 [June 7, 2011] Frank Busse, related to CVE-2004-0421). version 1.4.8beta05 [June 18, 2011] - Fixed error in "ACCURATE" 16-to-8 scaling. + Fixed error in "ACCURATE" 16-to-8 scaling (John Bowler). + Check for sCAL chunk too short. Send comments/corrections/commendations to glennrp at users.sourceforge.net or to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/CHANGES b/CHANGES index b180e60aa..c2e126197 100644 --- a/CHANGES +++ b/CHANGES @@ -2817,7 +2817,8 @@ version 1.4.8beta04 [June 7, 2011] Frank Busse, related to CVE-2004-0421). version 1.4.8beta05 [June 18, 2011] - Fixed error in "ACCURATE" 16-to-8 scaling. + Fixed error in "ACCURATE" 16-to-8 scaling (John Bowler). + Check for sCAL chunk too short. Send comments/corrections/commendations to glennrp at users.sourceforge.net or to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/pngrutil.c b/pngrutil.c index 113589c69..116f5deda 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -1861,6 +1861,14 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) return; } + /* Need unit type, width, \0, height: minimum 4 bytes */ + else if (length < 4) + { + png_warning(png_ptr, "sCAL chunk too short"); + png_crc_finish(png_ptr, length); + return; + } + png_debug1(2, "Allocating and reading sCAL chunk data (%lu bytes)", (unsigned long)(length + 1)); png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);