[libpng15] Revised png_check_IHDR() to use PNG_SIZE_MAX instead of

PNG_UINT_32_MAX in the test for potential overflow in PNG_ROWBYTES.
2025-07-10 18:04:09 +02:00 · 2014-01-09 19:20:11 -06:00
parent ea9249fe5b
commit a951c329bd
3 changed files with 13 additions and 7 deletions
--- a/png.c
+++ b/png.c
@@ -658,13 +658,13 @@ png_get_copyright(png_const_structp png_ptr)
 #else
 #  ifdef __STDC__
   return PNG_STRING_NEWLINE \
-     "libpng version 1.5.18beta04 - January 8, 2014" PNG_STRING_NEWLINE \
+     "libpng version 1.5.18beta04 - January 10, 2014" PNG_STRING_NEWLINE \
     "Copyright (c) 1998-2014 Glenn Randers-Pehrson" PNG_STRING_NEWLINE \
     "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
     "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
     PNG_STRING_NEWLINE;
 #  else
-      return "libpng version 1.5.18beta04 - January 8, 2014\
+      return "libpng version 1.5.18beta04 - January 10, 2014\
      Copyright (c) 1998-2014 Glenn Randers-Pehrson\
      Copyright (c) 1996-1997 Andreas Dilger\
      Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.";
@@ -1222,12 +1222,14 @@ png_check_IHDR(png_structp png_ptr,
      error = 1;
   }

-   if (error == 0 && width > (PNG_UINT_32_MAX
+   /* Check for potential overflow in PNG_ROWBYTES calculation */
+   if (error == 0 && width > (PNG_SIZE_MAX
                 >> 3)      /* 8-byte RGBA pixels */
                 - 48       /* bigrowbuf hack */
                 - 1        /* filter byte */
                 - 7*8      /* rounding of width to multiple of 8 pixels */
-                 - 8)       /* extra max_pixel_depth pad */
+                 - 8        /* extra max_pixel_depth pad */
+                 - error)   /* to prevent always-false compiler warning */
      png_warning(png_ptr,
          "Width may be too large for libpng to process pixels");