cheng/libpng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[libpng16] Fix the calculation of row_factor in png_check_chunk_length

Browse Source 
(Bug report by Thuan Pham, SourceForge issue #278)
This commit is contained in:
Cosmin Truta 2018-06-17 22:56:29 -04:00
parent a74aa9a002
commit 8a05766cb7
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
pngrutil.c
View File

@ -3167,10 +3167,13 @@ png_check_chunk_length(png_const_structrp png_ptr, const png_uint_32 length)
{ {
png_alloc_size_t idat_limit = PNG_UINT_31_MAX; png_alloc_size_t idat_limit = PNG_UINT_31_MAX;
size_t row_factor = size_t row_factor =
(png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1) (size_t)png_ptr->width
+ 1 + (png_ptr->interlaced? 6: 0)); * (size_t)png_ptr->channels
* (png_ptr->bit_depth > 8? 2: 1)
+ 1
+ (png_ptr->interlaced? 6: 0);
if (png_ptr->height > PNG_UINT_32_MAX/row_factor) if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
idat_limit=PNG_UINT_31_MAX; idat_limit = PNG_UINT_31_MAX;
else else
idat_limit = png_ptr->height * row_factor; idat_limit = png_ptr->height * row_factor;
row_factor = row_factor > 32566? 32566 : row_factor; row_factor = row_factor > 32566? 32566 : row_factor;