mirror of
https://git.code.sf.net/p/libpng/code.git
synced 2025-07-10 18:04:09 +02:00
[libpng16] Fixed the recently reported 1's complement security issue by
replacing the value that is illegal in the PNG spec, in both signed and unsigned values, with 0. Illegal unsigned values (anything greater than or equal to 0x80000000) can still pass through, but since these are not illegal in ANSI-C (unlike 0x80000000 in the signed case) the checking that occurs later can catch them (John Bowler).
This commit is contained in:
John Bowler
committed by
Glenn Randers-Pehrson
Glenn Randers-Pehrson
parent
6530e3898d
commit
2d62f7406f
@@ -89,7 +89,13 @@ png_get_int_32)(png_const_bytep buf)
|
||||
return uval;
|
||||
|
||||
uval = (uval ^ 0xffffffff) + 1; /* 2's complement: -x = ~x+1 */
|
||||
return -(png_int_32)uval;
|
||||
if ((uval & 0x80000000) == 0) /* no overflow */
|
||||
return -(png_int_32)uval;
|
||||
/* The following has to be safe; this function only gets called on PNG data
|
||||
* and if we get here that data is invalid. 0 is the most safe value and
|
||||
* if not then an attacker would surely just generate a PNG with 0 instead.
|
||||
*/
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Grab an unsigned 16-bit integer from a buffer in big-endian format. */
|
||||
|
||||
Reference in New Issue
Block a user