mewin/libpng
1
0
Fork 0
mirror of https://git.code.sf.net/p/libpng/code.git synced 2025-07-10 18:04:09 +02:00
Code Issues Projects Releases Wiki Activity

[libpng17] Corrected previous attempt at overflow detection in

Browse Source 
png_set_unknown_chunks().
This commit is contained in:
John Bowler
2013-01-17 13:42:42 -06:00
committed by Glenn Randers-Pehrson
parent a4e606dd5f
commit 8ec8e8fcd5
3 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
pngset.c
View File

@@ -1169,7 +1169,7 @@ png_set_unknown_chunks(png_const_structrp png_ptr,
* limit.
*/
if (num_unknowns > PNG_UINT_32_MAX - info_ptr->unknown_chunks_num ||
num_unknowns > PNG_SIZE_MAX/(sizeof *np) - info_ptr->unknown_chunks_num)
num_unknowns + info_ptr->unknown_chunks_num > PNG_SIZE_MAX/(sizeof *np))
{
/* This is a benign read error (user limits are disabled and we are about
* to overflow 2^32 chunks) and an application write error.
@@ -1180,7 +1180,7 @@ png_set_unknown_chunks(png_const_structrp png_ptr,
}
np = png_voidcast(png_unknown_chunkp, png_malloc(png_ptr,
(info_ptr->unknown_chunks_num + (unsigned int)num_unknowns) *
(info_ptr->unknown_chunks_num + num_unknowns) *
(sizeof (png_unknown_chunk))));
memcpy(np, info_ptr->unknown_chunks,