From c82ae40e9f7ac15e5f58492955ea9c6d8bdc72a7 Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Sun, 6 Aug 2017 08:37:48 -0500 Subject: [PATCH] [libpng16] Test or 11 bytes instead of 14 after the iCCP keyword has been read. --- pngrutil.c | 32 ++++++++++++++++++++------------ 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/pngrutil.c b/pngrutil.c index d87484632..949a6720b 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -1382,6 +1382,17 @@ png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) * and only clear them in they were not set before and all the tests pass. */ + /* The keyword must be at least one character and there is a + * terminator (0) byte and the compression method byte, and the + * 'zlib' datastream is at least 11 bytes. + */ + if (length < 14) + { + png_crc_finish(png_ptr, length); + png_chunk_benign_error(png_ptr, "too short"); + return; + } + /* If a colorspace error has already been output skip this chunk */ if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0) { @@ -1407,18 +1418,15 @@ png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) png_crc_read(png_ptr, (png_bytep)keyword, read_length); length -= read_length; - /* The minimum 'zlib' stream is assumed to be just the 2 byte header, - * 5 bytes minimum 'deflate' stream, and the 4 byte checksum. The keyword - * must be at least one character and there is a terminator (0) byte and - * the compression method. - */ - - if (length < 14) - { - png_crc_finish(png_ptr, length); - png_chunk_benign_error(png_ptr, "too short"); - return; - } + /* The minimum 'zlib' stream is assumed to be just the 2 byte header, + * 5 bytes minimum 'deflate' stream, and the 4 byte checksum. + */ + if (length < 11) + { + png_crc_finish(png_ptr, length); + png_chunk_benign_error(png_ptr, "too short"); + return; + } keyword_length = 0; while (keyword_length < 80 && keyword_length < read_length &&