[master] Revised png_check_IHDR()
This commit is contained in:
parent
caaf688582
commit
f12abe957d
33
png.c
33
png.c
@ -948,40 +948,41 @@ png_check_IHDR(png_structp png_ptr,
|
||||
|
||||
#ifdef PNG_SET_USER_LIMITS_SUPPORTED
|
||||
if (width > png_ptr->user_width_max || width > PNG_USER_WIDTH_MAX)
|
||||
{
|
||||
png_warning(png_ptr, "Image width exceeds user limit in IHDR");
|
||||
error = 1;
|
||||
}
|
||||
|
||||
if (height > png_ptr->user_height_max || height > PNG_USER_HEIGHT_MAX)
|
||||
{
|
||||
png_warning(png_ptr, "Image height exceeds user limit in IHDR");
|
||||
error = 1;
|
||||
}
|
||||
|
||||
#else
|
||||
if (width > PNG_USER_WIDTH_MAX
|
||||
if (width > PNG_USER_WIDTH_MAX)
|
||||
#endif
|
||||
{
|
||||
png_warning(png_ptr, "Image width exceeds user limit in IHDR");
|
||||
if ((width >> 16) == height)
|
||||
{
|
||||
/* This is likely to be caused by passing consecutive addresses
|
||||
* of 16-bit width and height variables to png_get_IHDR(), which
|
||||
* overflowed when we tried to fill them with 31-bit data.
|
||||
*/
|
||||
png_warning(png_ptr, "High bytes of width == low bytes of height");
|
||||
}
|
||||
error = 1;
|
||||
}
|
||||
|
||||
#ifdef PNG_SET_USER_LIMITS_SUPPORTED
|
||||
if (height > png_ptr->user_height_max || height > PNG_USER_HEIGHT_MAX)
|
||||
#else
|
||||
if (height > PNG_USER_HEIGHT_MAX)
|
||||
#endif
|
||||
{
|
||||
png_warning(png_ptr, "Image height exceeds user limit in IHDR");
|
||||
error = 1;
|
||||
}
|
||||
#endif
|
||||
|
||||
if (height > PNG_UINT_31_MAX)
|
||||
if (width > PNG_UINT_31_MAX)
|
||||
{
|
||||
png_warning(png_ptr, "Invalid image height in IHDR");
|
||||
png_warning(png_ptr, "Invalid image width in IHDR");
|
||||
error = 1;
|
||||
}
|
||||
|
||||
if ( height > PNG_UINT_31_MAX)
|
||||
{
|
||||
png_warning(png_ptr, "Invalid image width in IHDR");
|
||||
png_warning(png_ptr, "Invalid image height in IHDR");
|
||||
error = 1;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user