From 801b925edf39a57b5ff87021007a8ac8a582fac9 Mon Sep 17 00:00:00 2001 From: John Bowler Date: Sun, 29 May 2016 09:30:00 -0700 Subject: [PATCH] pngvalid.c: correct progressive read input buffer The previous version of the code invariably passed just one byte at a time to libpng. The intention was to pass a random number of bytes in the range 0..511 (and this is what happens now). Signed-off-by: John Bowler --- contrib/libtests/pngvalid.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/contrib/libtests/pngvalid.c b/contrib/libtests/pngvalid.c index 6f17841a6..60bde8d6c 100644 --- a/contrib/libtests/pngvalid.c +++ b/contrib/libtests/pngvalid.c @@ -1478,15 +1478,15 @@ store_read_imp(png_store *ps, png_bytep pb, png_size_t st) } static png_size_t -store_read_chunk(png_store *ps, png_bytep pb, png_size_t max, png_size_t st) +store_read_chunk(png_store *ps, png_bytep pb, const png_size_t max, + const png_size_t min) { png_uint_32 chunklen = ps->chunklen; png_uint_32 chunktype = ps->chunktype; png_uint_32 chunkpos = ps->chunkpos; + png_size_t st = max; - max -= st; - - if (max+st > 0) do + if (st > 0) do { if (chunkpos >= chunklen) /* end of last chunk */ { @@ -1651,7 +1651,7 @@ store_read_chunk(png_store *ps, png_bytep pb, png_size_t max, png_size_t st) ps->IDAT_size = IDAT_size; } - else + else /* !IDAT */ { /* If there is still some pending IDAT data after the IDAT chunks have * been processed there is a problem: @@ -1694,8 +1694,15 @@ store_read_chunk(png_store *ps, png_bytep pb, png_size_t max, png_size_t st) pb += avail; st -= avail; chunkpos += (png_uint_32)/*SAFE*/avail; + + /* Check for end of chunk and end-of-file; don't try to read a new + * chunk header at this point unless instructed to do so by 'min'. + */ + if (chunkpos >= chunklen && max-st >= min && + store_read_buffer_avail(ps) == 0) + break; } - } + } /* !IDAT */ } while (st > 0); @@ -1703,7 +1710,7 @@ store_read_chunk(png_store *ps, png_bytep pb, png_size_t max, png_size_t st) ps->chunktype = chunktype; ps->chunkpos = chunkpos; - return max+st; + return st; /* space left */ } static void PNGCBAPI