mewin/libpng
1
0
Fork 0
mirror of https://git.code.sf.net/p/libpng/code.git synced 2025-07-10 18:04:09 +02:00
Code Issues Projects Releases Wiki Activity

[libng16] Check length of all chunks except IDAT against user limit.

Browse Source
This commit is contained in:
Glenn Randers-Pehrson
2017-08-02 19:21:19 -05:00
parent 2b37d46564
commit 347538efbd
4 changed files with 36 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
pngrutil.c
View File

@@ -181,6 +181,22 @@ png_read_chunk_header(png_structrp png_ptr)
/* Check to see if chunk name is valid. */
png_check_chunk_name(png_ptr, png_ptr->chunk_name);
/* Check for too-large chunk length */
if (png_ptr->chunk_name != png_IDAT)
{
png_alloc_size_t limit = PNG_SIZE_MAX;
# ifdef PNG_SET_USER_LIMITS_SUPPORTED
if (png_ptr->user_chunk_malloc_max > 0 &&
png_ptr->user_chunk_malloc_max < limit)
limit = png_ptr->user_chunk_malloc_max;
# elif PNG_USER_CHUNK_MALLOC_MAX > 0
if (PNG_USER_CHUNK_MALLOC_MAX < limit)
limit = PNG_USER_CHUNK_MALLOC_MAX;
# endif
if (length > limit)
png_chunk_error(png_ptr, "chunk data is too large");
}
#ifdef PNG_IO_STATE_SUPPORTED
png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_DATA;
#endif