[libpng16] Restored IDAT length check. Previously the calculated limit was five

bytes too small (neglected to account for a partial DEFLATE buffer)
2025-07-10 18:04:09 +02:00 · 2017-08-03 18:03:12 -05:00
parent 4ac8b5e0d6
commit 2dbef2f2a9
4 changed files with 9 additions and 15 deletions
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -196,7 +196,6 @@ png_read_chunk_header(png_structrp png_ptr)
   }
   else
   {
-#if 0 /* some pngtests are failing */
      size_t row_factor =
         (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
          + 1 + (png_ptr->interlaced? 6: 0));
@@ -204,17 +203,16 @@ png_read_chunk_header(png_structrp png_ptr)
         limit=PNG_UINT_31_MAX;
      else
         limit = png_ptr->height * row_factor;
-      limit += 6 + 5*limit/32566; /* zlib+deflate overhead */
+      limit += 6 + 5*(limit/32566+1); /* zlib+deflate overhead */
      limit=limit < PNG_UINT_31_MAX? limit : PNG_UINT_31_MAX;
-#else
-      limit=PNG_UINT_31_MAX;
-#endif
   }

   if (length > limit)
   {
-      png_debug2(1," png_ptr->push_length = %lu, limit = %lu",
-         (unsigned long)png_ptr->push_length,(unsigned long)limit);
+      printf(" length = %lu, limit = %lu\n",
+         (unsigned long)length,(unsigned long)limit);
+      png_debug2(0," length = %lu, limit = %lu",
+         (unsigned long)length,(unsigned long)limit);
      png_chunk_error(png_ptr, "chunk data is too large");
   }