mewin/libpng
1
0
Fork 0
mirror of https://git.code.sf.net/p/libpng/code.git synced 2025-07-10 18:04:09 +02:00
Code Issues Projects Releases Wiki Activity

[libpng15] Check validity of "nentries" parameter of png_set_sPLT().

Browse Source
This commit is contained in:
Glenn Randers-Pehrson 2013-01-17 15:16:02 -06:00
parent 5b4aa7841b
commit 798d3de5f6
3 changed files with 14 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ANNOUNCE
View File

@ -84,6 +84,7 @@ Version 1.5.14rc02 [January 17, 2013]
Revised test for validity of "num_unknowns" to eliminate compiler warnings. Revised test for validity of "num_unknowns" to eliminate compiler warnings.
Version 1.5.14rc03 [January 17, 2013] Version 1.5.14rc03 [January 17, 2013]
Check validity of "nentries" parameter of png_set_sPLT().
=========================================================================== ===========================================================================
NOTICE November 17, 2012: NOTICE November 17, 2012:

1
CHANGES
View File

@ -3977,6 +3977,7 @@ Version 1.5.14rc02 [January 17, 2013]
Revised test for validity of "num_unknowns" to eliminate compiler warnings. Revised test for validity of "num_unknowns" to eliminate compiler warnings.
Version 1.5.14rc03 [January 17, 2013] Version 1.5.14rc03 [January 17, 2013]
Check validity of "nentries" parameter of png_set_sPLT().
=========================================================================== ===========================================================================
NOTICE November 17, 2012: NOTICE November 17, 2012:

9
pngset.c
View File

@ -969,6 +969,15 @@ png_set_sPLT(png_structp png_ptr,
if (png_ptr == NULL || info_ptr == NULL) if (png_ptr == NULL || info_ptr == NULL)
return; return;
if (nentries < 0 ||
nentries > INT_MAX-info_ptr->splt_palettes_num ||
(unsigned int)/*SAFE*/(nentries +/*SAFE*/
info_ptr->splt_palettes_num) >=
PNG_SIZE_MAX/png_sizeof(png_sPLT_t))
np=NULL;
else
np = (png_sPLT_tp)png_malloc_warn(png_ptr, np = (png_sPLT_tp)png_malloc_warn(png_ptr,
(info_ptr->splt_palettes_num + nentries) * (info_ptr->splt_palettes_num + nentries) *
(png_size_t)png_sizeof(png_sPLT_t)); (png_size_t)png_sizeof(png_sPLT_t));