diff --git a/ANNOUNCE b/ANNOUNCE index a2797dfe5..b90fc0256 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -39,7 +39,7 @@ Version 1.6.30beta02 [April 22, 2017] Removed reference to the obsolete PNG_SAFE_LIMITS macro in the documentation. Version 1.6.30beta03 [April 23, 2017] - Check for integer overflow in contrib/visupng. + Check for integer overflow in contrib/visupng and contrib/tools/genpng. Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/CHANGES b/CHANGES index d28b7b200..883062c23 100644 --- a/CHANGES +++ b/CHANGES @@ -5834,7 +5834,7 @@ Version 1.6.30beta02 [April 22, 2017] Removed reference to the obsolete PNG_SAFE_LIMITS macro in the documentation. Version 1.6.30beta03 [April 23, 2017] - Check for integer overflow in contrib/visupng. + Check for integer overflow in contrib/visupng and contrib/tools/genpng. Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/contrib/tools/genpng.c b/contrib/tools/genpng.c index ce43260cb..0b3f98196 100644 --- a/contrib/tools/genpng.c +++ b/contrib/tools/genpng.c @@ -1,7 +1,8 @@ /*- genpng * * COPYRIGHT: Written by John Cunningham Bowler, 2015. - * To the extent possible under law, the author has waived all copyright and + * Revised by Glenn Randers-Pehrson, 2017, to add buffer-size check. + * To the extent possible under law, the authors have waived all copyright and * related or neighboring rights to this work. This work is published from: * United States. * @@ -783,6 +784,19 @@ main(int argc, const char **argv) return 1; } +#if 1 + /* TO do: determine whether this guard against overflow is necessary. + * This comment in png.h indicates that it should be safe: "libpng will + * refuse to process an image where such an overflow would occur", but + * I don't see where the image gets rejected when the buffer is too + * large before the malloc is attempted. + */ + if (image.height > ((size_t)(-1))/(8*image.width)) { + fprintf(stderr, "genpng: image buffer would be too big"); + return 1; + } +#endif + /* Create the buffer: */ buffer = malloc(PNG_IMAGE_SIZE(image));