From 798d3de5f66b6df6d6605f968da641c24725b15e Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Thu, 17 Jan 2013 15:16:02 -0600 Subject: [PATCH] [libpng15] Check validity of "nentries" parameter of png_set_sPLT(). --- ANNOUNCE | 1 + CHANGES | 1 + pngset.c | 15 ++++++++++++--- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/ANNOUNCE b/ANNOUNCE index 5b542933e..d16bf333b 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -84,6 +84,7 @@ Version 1.5.14rc02 [January 17, 2013] Revised test for validity of "num_unknowns" to eliminate compiler warnings. Version 1.5.14rc03 [January 17, 2013] + Check validity of "nentries" parameter of png_set_sPLT(). =========================================================================== NOTICE November 17, 2012: diff --git a/CHANGES b/CHANGES index 334b81fea..4c2d767a8 100644 --- a/CHANGES +++ b/CHANGES @@ -3977,6 +3977,7 @@ Version 1.5.14rc02 [January 17, 2013] Revised test for validity of "num_unknowns" to eliminate compiler warnings. Version 1.5.14rc03 [January 17, 2013] + Check validity of "nentries" parameter of png_set_sPLT(). =========================================================================== NOTICE November 17, 2012: diff --git a/pngset.c b/pngset.c index f6efc7dd1..1467690a7 100644 --- a/pngset.c +++ b/pngset.c @@ -969,9 +969,18 @@ png_set_sPLT(png_structp png_ptr, if (png_ptr == NULL || info_ptr == NULL) return; - np = (png_sPLT_tp)png_malloc_warn(png_ptr, - (info_ptr->splt_palettes_num + nentries) * - (png_size_t)png_sizeof(png_sPLT_t)); + if (nentries < 0 || + nentries > INT_MAX-info_ptr->splt_palettes_num || + (unsigned int)/*SAFE*/(nentries +/*SAFE*/ + info_ptr->splt_palettes_num) >= + PNG_SIZE_MAX/png_sizeof(png_sPLT_t)) + np=NULL; + + else + + np = (png_sPLT_tp)png_malloc_warn(png_ptr, + (info_ptr->splt_palettes_num + nentries) * + (png_size_t)png_sizeof(png_sPLT_t)); if (np == NULL) {