[libpng16] Check for integer overflow in contrib/tools/genpng.

2025-07-10 18:04:09 +02:00 · 2017-04-23 18:41:28 -05:00 · 2017-04-23 18:41:28 -05:00 · b99308a33c
commit b99308a33c
parent 170a44b222
3 changed files with 17 additions and 3 deletions
--- a/2
+++ b/2
@ -39,7 +39,7 @@ Version 1.6.30beta02 [April 22, 2017]
  Removed reference to the obsolete PNG_SAFE_LIMITS macro in the documentation.

 Version 1.6.30beta03 [April 23, 2017]
-  Check for integer overflow in contrib/visupng.
+  Check for integer overflow in contrib/visupng and contrib/tools/genpng.

 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
--- a/2
+++ b/2
@ -5834,7 +5834,7 @@ Version 1.6.30beta02 [April 22, 2017]
  Removed reference to the obsolete PNG_SAFE_LIMITS macro in the documentation.

 Version 1.6.30beta03 [April 23, 2017]
-  Check for integer overflow in contrib/visupng.
+  Check for integer overflow in contrib/visupng and contrib/tools/genpng.

 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
--- a/contrib/tools/genpng.c
+++ b/contrib/tools/genpng.c
@ -1,7 +1,8 @@
 /*- genpng
 *
 * COPYRIGHT: Written by John Cunningham Bowler, 2015.
- * To the extent possible under law, the author has waived all copyright and
+ * Revised by Glenn Randers-Pehrson, 2017, to add buffer-size check.
+ * To the extent possible under law, the authors have waived all copyright and
 * related or neighboring rights to this work.  This work is published from:
 * United States.
 *
@ -783,6 +784,19 @@ main(int argc, const char **argv)
         return 1;
      }

+#if 1
+     /* TO do: determine whether this guard against overflow is necessary.
+      * This comment in png.h indicates that it should be safe: "libpng will
+      * refuse to process an image where such an overflow would occur", but
+      * I don't see where the image gets rejected when the buffer is too
+      * large before the malloc is attempted.
+      */
+      if (image.height > ((size_t)(-1))/(8*image.width)) {
+         fprintf(stderr, "genpng: image buffer would be too big");
+         return 1;
+      }
+#endif
+
      /* Create the buffer: */
      buffer = malloc(PNG_IMAGE_SIZE(image));