mewin/libpng
1
0
Fork 0
mirror of https://git.code.sf.net/p/libpng/code.git synced 2025-07-10 18:04:09 +02:00
Code Issues Projects Releases Wiki Activity

[libpng15] Check validity of "nentries" parameter of png_set_sPLT().

Browse Source 
and check validity of "num_text" parameter of png_set_text_2().
This commit is contained in:
Glenn Randers-Pehrson
2013-01-17 16:15:46 -06:00
parent 798d3de5f6
commit 77a0a2ea11
4 changed files with 14 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
pngset.c
View File

@@ -690,6 +690,17 @@ png_set_text_2(png_structp png_ptr, png_infop info_ptr,
/* Make sure we have enough space in the "text" array in info_struct
* to hold all of the incoming text_ptr objects.
*/
if (num_text < 0 ||
num_text > INT_MAX - info_ptr->num_text - 8 ||
(unsigned int)/*SAFE*/(num_text +/*SAFE*/
info_ptr->num_text + 8) >=
PNG_SIZE_MAX/png_sizeof(png_text))
{
png_warning(png_ptr, "too many text chunks");
return(0);
}
if (info_ptr->num_text + num_text > info_ptr->max_text)
{
int old_max_text = info_ptr->max_text;