[libpng16] Document need to check for integer overflow when allocating a pixel

buffer for multiple rows in contrib/gregbook, contrib/pngminus, example.c, and in the manual (suggested by Jaeseung Choi).
2025-07-10 18:04:09 +02:00 · 2017-04-22 15:21:58 -05:00
parent 13370c536c
commit 53f22aed41
13 changed files with 118 additions and 18 deletions
--- a/contrib/gregbook/rpng2-x.c
+++ b/contrib/gregbook/rpng2-x.c
@@ -780,6 +780,13 @@ static void rpng2_x_init(void)
    Trace((stderr, "  width  = %ld\n", rpng2_info.width))
    Trace((stderr, "  height = %ld\n", rpng2_info.height))

+    /* Guard against integer overflow */
+    if (rpng2_info.height > ((size_t)(-1))/rpng2_info.rowbytes) {
+        fprintf(stderr, PROGNAME ":  image_data buffer would be too large\n");
+        readpng2_cleanup(&rpng2_info);
+        return;
+    }
+
    rpng2_info.image_data = (uch *)malloc(rowbytes * rpng2_info.height);
    if (!rpng2_info.image_data) {
        readpng2_cleanup(&rpng2_info);