mewin/libpng
1
0
Fork 0
mirror of https://git.code.sf.net/p/libpng/code.git synced 2025-07-10 18:04:09 +02:00
Code Issues Projects Releases Wiki Activity

[libpng16] Check for integer overflow in contrib/visupng.

Browse Source
This commit is contained in:
Glenn Randers-Pehrson
2017-04-23 17:33:10 -05:00
parent 0808d75851
commit 170a44b222
4 changed files with 17 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
contrib/visupng/PngFile.c
View File

@@ -236,6 +236,10 @@ BOOL PngLoadImage (PTSTR pstrFileName, png_byte **ppbImageData,
free (pbImageData);
pbImageData = NULL;
}
if ((*piHeight) > ((size_t)(-1))/ulRowBytes) {
{
png_error(png_ptr, "Visual PNG: image is too big");
}
if ((pbImageData = (png_byte *) malloc(ulRowBytes * (*piHeight)
* sizeof(png_byte))) == NULL)
{

8
contrib/visupng/VisualPng.c
View File

@@ -726,6 +726,10 @@ BOOL DisplayImage (HWND hwnd, BYTE **ppDib,
pDib = NULL;
}
if (cyWinSize > ((size_t)(-1))/wDIRowBytes) {
{
MessageBox (hwnd, TEXT ("Visual PNG: image is too big");
}
if (!(pDib = (BYTE *) malloc (sizeof(BITMAPINFOHEADER) +
wDIRowBytes * cyWinSize)))
{
@@ -847,6 +851,10 @@ BOOL FillBitmap (
cxImgPos = (cxWinSize - cxNewSize) / 2;
}
if (cyNewSize > ((size_t)(-1))/(cImgChannels * cxNewSize)) {
{
MessageBox (hwnd, TEXT ("Visual PNG: stretched image is too big");
}
pStretchedImage = malloc (cImgChannels * cxNewSize * cyNewSize);
pImg = pStretchedImage;