mewin/libpng
1
0
Fork 0
mirror of https://git.code.sf.net/p/libpng/code.git synced 2025-07-10 18:04:09 +02:00
Code Issues Projects Releases Wiki Activity

[lbpng17] Avoid potential pointer overflow in png_handle_sPLT() and

Browse Source 
png_handle_pCAL() (Bug report by John Regehr).
This commit is contained in:
Glenn Randers-Pehrson
2015-11-13 22:25:03 -06:00
parent 722645fec5
commit c09b3ab2c7
3 changed files with 13 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
pngrutil.c
View File

@@ -1530,7 +1530,7 @@ png_handle_sPLT(png_structrp png_ptr, png_inforp info_ptr)
++entry_start;
/* A sample depth should follow the separator, and we should be on it */
if (entry_start > buffer + length - 2)
if (length < 2 || entry_start > buffer + length - 2)
{
png_chunk_benign_error(png_ptr, "malformed");
return;
@@ -1948,7 +1948,7 @@ png_handle_pCAL(png_structrp png_ptr, png_inforp info_ptr)
/* We need to have at least 12 bytes after the purpose string
* in order to get the parameter information.
*/
if (endptr <= buf + 12)
if (png_ptr->chunk_length < 12 || endptr <= buf + 12)
{
png_chunk_benign_error(png_ptr, "invalid");
return;