[libpng15] Check validity of "nentries" parameter of png_set_sPLT().

and check validity of "num_text" parameter of png_set_text_2().
2025-07-10 18:04:09 +02:00 · 2013-01-17 16:15:46 -06:00 · 2013-01-17 16:15:46 -06:00 · 77a0a2ea11
commit 77a0a2ea11
parent 798d3de5f6
4 changed files with 14 additions and 1 deletions
--- a/1
+++ b/1
@ -85,6 +85,7 @@ Version 1.5.14rc02 [January 17, 2013]

 Version 1.5.14rc03 [January 17, 2013]
  Check validity of "nentries" parameter of png_set_sPLT().
+  Check validity of "num_text" parameter of png_set_text_2().

  ===========================================================================
                       NOTICE November 17, 2012:
--- a/1
+++ b/1
@ -3978,6 +3978,7 @@ Version 1.5.14rc02 [January 17, 2013]

 Version 1.5.14rc03 [January 17, 2013]
  Check validity of "nentries" parameter of png_set_sPLT().
+  Check validity of "num_text" parameter of png_set_text_2().

  ===========================================================================
                       NOTICE November 17, 2012:
--- a/pnginfo.h
+++ b/pnginfo.h
@ -242,7 +242,7 @@ defined(PNG_READ_BACKGROUND_SUPPORTED)
 #ifdef PNG_sPLT_SUPPORTED
   /* Data on sPLT chunks (there may be more than one). */
   png_sPLT_tp splt_palettes;
-   png_uint_32 splt_palettes_num;
+   int splt_palettes_num;
 #endif

 #ifdef PNG_sCAL_SUPPORTED
--- a/pngset.c
+++ b/pngset.c
@ -690,6 +690,17 @@ png_set_text_2(png_structp png_ptr, png_infop info_ptr,
   /* Make sure we have enough space in the "text" array in info_struct
    * to hold all of the incoming text_ptr objects.
    */
+
+   if (num_text < 0 ||
+       num_text > INT_MAX - info_ptr->num_text - 8 ||
+       (unsigned int)/*SAFE*/(num_text +/*SAFE*/
+       info_ptr->num_text + 8) >=
+       PNG_SIZE_MAX/png_sizeof(png_text))
+   {
+      png_warning(png_ptr, "too many text chunks");
+      return(0);
+   }
+
   if (info_ptr->num_text + num_text > info_ptr->max_text)
   {
      int old_max_text = info_ptr->max_text;