mewin/libpng
1
0
Fork 0
mirror of https://git.code.sf.net/p/libpng/code.git synced 2025-07-10 18:04:09 +02:00
Code Issues Projects Releases Wiki Activity

pngvalid.c: correct progressive read input buffer

Browse Source 
The previous version of the code invariably passed just one byte at a time to
libpng.  The intention was to pass a random number of bytes in the range 0..511
(and this is what happens now).

Signed-off-by: John Bowler <jbowler@acm.org>
This commit is contained in:
John Bowler 2016-05-29 09:30:00 -07:00
parent a201f859cd
commit 801b925edf
1 changed files with 14 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
contrib/libtests/pngvalid.c
View File

@ -1478,15 +1478,15 @@ store_read_imp(png_store *ps, png_bytep pb, png_size_t st)
} }
static png_size_t static png_size_t
store_read_chunk(png_store *ps, png_bytep pb, png_size_t max, png_size_t st) store_read_chunk(png_store *ps, png_bytep pb, const png_size_t max,
const png_size_t min)
{ {
png_uint_32 chunklen = ps->chunklen; png_uint_32 chunklen = ps->chunklen;
png_uint_32 chunktype = ps->chunktype; png_uint_32 chunktype = ps->chunktype;
png_uint_32 chunkpos = ps->chunkpos; png_uint_32 chunkpos = ps->chunkpos;
png_size_t st = max;
max -= st; if (st > 0) do
if (max+st > 0) do
{ {
if (chunkpos >= chunklen) /* end of last chunk */ if (chunkpos >= chunklen) /* end of last chunk */
{ {
@ -1651,7 +1651,7 @@ store_read_chunk(png_store *ps, png_bytep pb, png_size_t max, png_size_t st)
ps->IDAT_size = IDAT_size; ps->IDAT_size = IDAT_size;
} }
else else /* !IDAT */
{ {
/* If there is still some pending IDAT data after the IDAT chunks have /* If there is still some pending IDAT data after the IDAT chunks have
* been processed there is a problem: * been processed there is a problem:
@ -1694,8 +1694,15 @@ store_read_chunk(png_store *ps, png_bytep pb, png_size_t max, png_size_t st)
pb += avail; pb += avail;
st -= avail; st -= avail;
chunkpos += (png_uint_32)/*SAFE*/avail; chunkpos += (png_uint_32)/*SAFE*/avail;
/* Check for end of chunk and end-of-file; don't try to read a new
* chunk header at this point unless instructed to do so by 'min'.
*/
if (chunkpos >= chunklen && max-st >= min &&
store_read_buffer_avail(ps) == 0)
break;
} }
} } /* !IDAT */
} }
while (st > 0); while (st > 0);
@ -1703,7 +1710,7 @@ store_read_chunk(png_store *ps, png_bytep pb, png_size_t max, png_size_t st)
ps->chunktype = chunktype; ps->chunktype = chunktype;
ps->chunkpos = chunkpos; ps->chunkpos = chunkpos;
return max+st; return st; /* space left */
} }
static void PNGCBAPI static void PNGCBAPI