mewin/libpng
1
0
Fork 0
mirror of https://git.code.sf.net/p/libpng/code.git synced 2025-07-10 18:04:09 +02:00
Code Issues Projects Releases Wiki Activity

Fix handling incorrect hIST chunks of uneven size

Browse Source 
The hIST chunks, used for storing image histograms, contain arrays of
16-bit unsigned integers, and the chunk size is expected to be an even
number. Raise a png_chunk_benign_error() if a hIST chunk fails to meet
this expectation.

Reported-by: Eugene Kliuchnikov <eustas@google.com>
This commit is contained in:
Cosmin Truta 2022-09-14 11:30:14 +03:00
parent e9e9801a84
commit 62c027d4df
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pngrutil.c
View File

@ -2123,8 +2123,9 @@ png_handle_hIST(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
num = length / 2 ;
if (num != (unsigned int) png_ptr->num_palette ||
num > (unsigned int) PNG_MAX_PALETTE_LENGTH)
if (length != num * 2 ||
num != (unsigned int)png_ptr->num_palette ||
num > (unsigned int)PNG_MAX_PALETTE_LENGTH)
{
png_crc_finish(png_ptr, length);
png_chunk_benign_error(png_ptr, "invalid");