[libpng15] Check validity of "nentries" parameter of png_set_sPLT().

2025-07-10 18:04:09 +02:00 · 2013-01-17 15:16:02 -06:00 · 2013-01-17 15:16:02 -06:00 · 798d3de5f6
commit 798d3de5f6
parent 5b4aa7841b
3 changed files with 14 additions and 3 deletions
--- a/1
+++ b/1
@ -84,6 +84,7 @@ Version 1.5.14rc02 [January 17, 2013]
  Revised test for validity of "num_unknowns" to eliminate compiler warnings.

 Version 1.5.14rc03 [January 17, 2013]
+  Check validity of "nentries" parameter of png_set_sPLT().

  ===========================================================================
                       NOTICE November 17, 2012:
--- a/1
+++ b/1
@ -3977,6 +3977,7 @@ Version 1.5.14rc02 [January 17, 2013]
  Revised test for validity of "num_unknowns" to eliminate compiler warnings.

 Version 1.5.14rc03 [January 17, 2013]
+  Check validity of "nentries" parameter of png_set_sPLT().

  ===========================================================================
                       NOTICE November 17, 2012:
--- a/pngset.c
+++ b/pngset.c
@ -969,9 +969,18 @@ png_set_sPLT(png_structp png_ptr,
   if (png_ptr == NULL || info_ptr == NULL)
      return;

-   np = (png_sPLT_tp)png_malloc_warn(png_ptr,
-       (info_ptr->splt_palettes_num + nentries) *
-       (png_size_t)png_sizeof(png_sPLT_t));
+   if (nentries < 0 ||
+       nentries > INT_MAX-info_ptr->splt_palettes_num ||
+       (unsigned int)/*SAFE*/(nentries +/*SAFE*/
+       info_ptr->splt_palettes_num) >=
+       PNG_SIZE_MAX/png_sizeof(png_sPLT_t))
+      np=NULL;
+
+   else
+
+      np = (png_sPLT_tp)png_malloc_warn(png_ptr,
+          (info_ptr->splt_palettes_num + nentries) *
+          (png_size_t)png_sizeof(png_sPLT_t));

   if (np == NULL)
   {