From 805ed7a2d4e5e3f7a337fc51af26a3339ac24606 Mon Sep 17 00:00:00 2001 From: John Bowler Date: Wed, 31 Jan 2024 19:45:18 -0800 Subject: [PATCH] Correct row width check in png_check_IHDR This changes the mask used in the IHDR width check from ~7U to ~(png_alloc_size_t)7 which is a quantity at least as big as both png_uint_32 and size_t whereas "7U" will be 16 bits on a 16 bit system. The change both corrects a bug in the code (on 16 bit systems) and removes compiler warnings about the test always being false on 64-bit architectures. Signed-off-by: John Bowler --- png.c | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/png.c b/png.c index 811813ef7..997b8d4dc 100644 --- a/png.c +++ b/png.c @@ -2511,17 +2511,6 @@ png_colorspace_set_rgb_coefficients(png_structrp png_ptr) #endif /* COLORSPACE */ -#ifdef __GNUC__ -/* This exists solely to work round a warning from GNU C. */ -static int /* PRIVATE */ -png_gt(size_t a, size_t b) -{ - return a > b; -} -#else -# define png_gt(a,b) ((a) > (b)) -#endif - void /* PRIVATE */ png_check_IHDR(png_const_structrp png_ptr, png_uint_32 width, png_uint_32 height, int bit_depth, @@ -2543,8 +2532,16 @@ png_check_IHDR(png_const_structrp png_ptr, error = 1; } - if (png_gt(((width + 7) & (~7U)), - ((PNG_SIZE_MAX + /* The bit mask on the first line below must be at least as big as a + * png_uint_32. "~7U" is not adequate on 16-bit systems because it will + * be an unsigned 16-bit value. Casting to (png_alloc_size_t) makes the + * type of the result at least as bit (in bits) as the RHS of the > operator + * which also avoids a common warning on 64-bit systems that the comparison + * of (png_uint_32) against the constant value on the RHS will always be + * false. + */ + if (((width + 7) & ~(png_alloc_size_t)7) > + (((PNG_SIZE_MAX - 48 /* big_row_buf hack */ - 1) /* filter byte */ / 8) /* 8-byte RGBA pixels */