[libpng15] Check validity of "num_unknowns" parameter

of png_set_unknown_chunks().
2025-07-10 18:04:09 +02:00 · 2013-01-10 09:24:03 -06:00 · 2013-01-10 09:24:03 -06:00 · 1a3d6e3cf3
commit 1a3d6e3cf3
parent c4b099396a
3 changed files with 15 additions and 6 deletions
--- a/5
+++ b/5
@ -1,5 +1,5 @@

-Libpng 1.5.14beta08 - January 7, 2013
+Libpng 1.5.14beta08 - January 10, 2013

 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@ -73,7 +73,8 @@ Version 1.5.14beta07 [January 6, 2012]
    which provide more extensive testing.  Replaced pngtest.png because pngtest
    writes the ancillary chunks in a different order.

-Version 1.5.14beta08 [January 7, 2013]
+Version 1.5.14beta08 [January 10, 2013]
+  Check validity of "num_unknowns" parameter of png_set_unknown_chunks().

  ===========================================================================
                       NOTICE November 17, 2012:
--- a/3
+++ b/3
@ -3966,7 +3966,8 @@ Version 1.5.14beta07 [January 6, 2012]
    which provide more extensive testing.  Replaced pngtest.png because pngtest
    writes the ancillary chunks in a different order.

-Version 1.5.14beta08 [January 7, 2013]
+Version 1.5.14beta08 [January 10, 2013]
+  Check validity of "num_unknowns" parameter of png_set_unknown_chunks().

  ===========================================================================
                       NOTICE November 17, 2012:
--- a/pngset.c
+++ b/pngset.c
@ -1039,9 +1039,16 @@ png_set_unknown_chunks(png_structp png_ptr,
   if (png_ptr == NULL || info_ptr == NULL || num_unknowns == 0)
      return;

-   np = (png_unknown_chunkp)png_malloc_warn(png_ptr,
-       (png_size_t)(info_ptr->unknown_chunks_num + num_unknowns) *
-       png_sizeof(png_unknown_chunk));
+   if (num_unknowns < 0 ||
+       num_unknowns >= UINT_MAX-info_ptr->unknown_chunks_num ||
+       num_unknowns >= PNG_SIZE_MAX/png_sizeof(png_unknown_chunk)
+       - info_ptr->unknown_chunks_num)
+      np=NULL;
+
+   else
+      np = (png_unknown_chunkp)png_malloc_warn(png_ptr,
+          (png_size_t)(info_ptr->unknown_chunks_num + num_unknowns) *
+          png_sizeof(png_unknown_chunk));

   if (np == NULL)
   {