mewin/libpng
1
0
Fork 0
mirror of https://git.code.sf.net/p/libpng/code.git synced 2025-07-10 18:04:09 +02:00
Code Issues Projects Releases Wiki Activity

[libpng16] Document need to check for integer overflow when allocating a pixel

Browse Source 
buffer for multiple rows in contrib/gregbook, contrib/pngminus, example.c, and
in the manual (suggested by Jaeseung Choi).
This commit is contained in:
Glenn Randers-Pehrson
2017-04-22 15:21:58 -05:00
parent 13370c536c
commit 53f22aed41
13 changed files with 118 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
libpng-manual.txt
View File

@@ -1,6 +1,6 @@
libpng-manual.txt - A description on how to use and modify libpng
libpng version 1.6.30beta02 - April 3, 2017
libpng version 1.6.30beta02 - April 19, 2017
Updated and distributed by Glenn Randers-Pehrson
<glennrp at users.sourceforge.net>
Copyright (c) 1998-2016 Glenn Randers-Pehrson
@@ -11,7 +11,7 @@ libpng-manual.txt - A description on how to use and modify libpng
Based on:
libpng versions 0.97, January 1998, through 1.6.30beta02 - April 3, 2017
libpng versions 0.97, January 1998, through 1.6.30beta02 - April 19, 2017
Updated and distributed by Glenn Randers-Pehrson
Copyright (c) 1998-2016 Glenn Randers-Pehrson
@@ -1190,7 +1190,20 @@ row_pointers prior to calling png_read_png() with
png_set_rows(png_ptr, info_ptr, &row_pointers);
Alternatively you could allocate your image in one big block and define
row_pointers[i] to point into the proper places in your block.
row_pointers[i] to point into the proper places in your block, but first
be sure that your platform is able to allocate such a large buffer:
/* Guard against integer overflow */
if (height > PNG_SIZE_MAX/(width*pixel_size)) {
png_error(png_ptr,"image_data buffer would be too large");
}
png_bytep buffer=png_malloc(png_ptr,height*width*pixel_size);
for (int i=0; i<height, i++)
row_pointers[i]=buffer+i*width*pixel_size;
png_set_rows(png_ptr, info_ptr, &row_pointers);
If you use png_set_rows(), the application is responsible for freeing
row_pointers (and row_pointers[i], if they were separately allocated).
@@ -2146,6 +2159,16 @@ are allocating one large chunk, you will need to build an
array of pointers to each row, as it will be needed for some
of the functions below.
Be sure that your platform can allocate the buffer that you'll need.
libpng internally checks for oversize width, but you'll need to
do your own check for number_of_rows*width*pixel_size if you are using
a multiple-row buffer:
/* Guard against integer overflow */
if (number_of_rows > PNG_SIZE_MAX/(width*pixel_size)) {
png_error(png_ptr,"image_data buffer would be too large");
}
Remember: Before you call png_read_update_info(), the png_get_*()
functions return the values corresponding to the original PNG image.
After you call png_read_update_info the values refer to the image