diff --git a/png.c b/png.c index 466ad4b33..8ee0f1a77 100644 --- a/png.c +++ b/png.c @@ -948,40 +948,41 @@ png_check_IHDR(png_structp png_ptr, #ifdef PNG_SET_USER_LIMITS_SUPPORTED if (width > png_ptr->user_width_max || width > PNG_USER_WIDTH_MAX) - { - png_warning(png_ptr, "Image width exceeds user limit in IHDR"); - error = 1; - } - - if (height > png_ptr->user_height_max || height > PNG_USER_HEIGHT_MAX) - { - png_warning(png_ptr, "Image height exceeds user limit in IHDR"); - error = 1; - } - #else - if (width > PNG_USER_WIDTH_MAX + if (width > PNG_USER_WIDTH_MAX) +#endif { png_warning(png_ptr, "Image width exceeds user limit in IHDR"); + if ((width >> 16) == height) + { + /* This is likely to be caused by passing consecutive addresses + * of 16-bit width and height variables to png_get_IHDR(), which + * overflowed when we tried to fill them with 31-bit data. + */ + png_warning(png_ptr, "High bytes of width == low bytes of height"); + } error = 1; } +#ifdef PNG_SET_USER_LIMITS_SUPPORTED + if (height > png_ptr->user_height_max || height > PNG_USER_HEIGHT_MAX) +#else if (height > PNG_USER_HEIGHT_MAX) +#endif { png_warning(png_ptr, "Image height exceeds user limit in IHDR"); error = 1; } -#endif - if (height > PNG_UINT_31_MAX) + if (width > PNG_UINT_31_MAX) { - png_warning(png_ptr, "Invalid image height in IHDR"); + png_warning(png_ptr, "Invalid image width in IHDR"); error = 1; } if ( height > PNG_UINT_31_MAX) { - png_warning(png_ptr, "Invalid image width in IHDR"); + png_warning(png_ptr, "Invalid image height in IHDR"); error = 1; }