mewin/libpng
1
0
Fork 0
mirror of https://git.code.sf.net/p/libpng/code.git synced 2025-07-10 18:04:09 +02:00
Code Issues Projects Releases Wiki Activity

[devel] Fixed png_handle_sCAL which is broken in 1.5

Browse Source
This commit is contained in:
Glenn Randers-Pehrson
2011-06-10 17:45:48 -05:00
parent ab1a573768
commit 254a513fd1
3 changed files with 17 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
pngrutil.c
View File

@@ -1992,6 +1992,14 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
return;
}
/* Need unit type, width, \0, height: minimum 4 bytes */
else if (length < 4)
{
png_warning(png_ptr, "sCAL chunk too short");
png_crc_finish(png_ptr, length);
return;
}
png_debug1(2, "Allocating and reading sCAL chunk data (%u bytes)",
length + 1);
@@ -2027,7 +2035,7 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
/* Validate the ASCII numbers, need two ASCII numbers separated by
* a '\0' and they need to fit exactly in the chunk data.
*/
i = 0;
i = 1;
state = 0;
if (png_ptr->chunkdata[1] == 45 /* negative width */ ||
@@ -2039,6 +2047,7 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
{
png_size_t heighti = i;
state = 0;
if (png_ptr->chunkdata[i] == 45 /* negative height */ ||
!png_check_fp_number(png_ptr->chunkdata, slength, &state, &i) ||
i != slength)