From e411c66e382721c94c3aa66dd84d49a5f06bd35d Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Sat, 18 Jun 2011 14:54:22 -0500 Subject: [PATCH] [legacy] Check for sCAL chunk too short. --- ANNOUNCE | 5 +++-- CHANGES | 3 ++- pngrutil.c | 8 ++++++++ 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/ANNOUNCE b/ANNOUNCE index f9e2f8294..5030b2378 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,5 +1,5 @@ -Libpng 1.2.45beta03 - June 8, 2011 +Libpng 1.2.45beta03 - June 18, 2011 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -113,8 +113,9 @@ version 1.2.45beta01 [June 7, 2011] Ported bugfix in pngrtran.c from 1.5.3: when expanding a paletted image, always expand to RGBA if transparency is present. -version 1.2.45beta02 [June 8, 2011] +version 1.2.45beta02 [June 18, 2011] Check for integer overflow in png_set_rgb_to_gray(). + Check for sCAL chunk too short. (subscription required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement diff --git a/CHANGES b/CHANGES index 04dff5408..1d00cf18c 100644 --- a/CHANGES +++ b/CHANGES @@ -2714,8 +2714,9 @@ version 1.2.45beta01 [June 7, 2011] Ported bugfix in pngrtran.c from 1.5.3: when expanding a paletted image, always expand to RGBA if transparency is present. -version 1.2.45beta02 [June 8, 2011] +version 1.2.45beta02 [June 18, 2011] Check for integer overflow in png_set_rgb_to_gray(). + Check for sCAL chunk too short. Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/pngrutil.c b/pngrutil.c index 1e2db31b2..9e5ffd630 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -1812,6 +1812,14 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) return; } + /* Need unit type, width, \0, height: minimum 4 bytes */ + else if (length < 4) + { + png_warning(png_ptr, "sCAL chunk too short"); + png_crc_finish(png_ptr, length); + return; + } + png_debug1(2, "Allocating and reading sCAL chunk data (%lu bytes)", length + 1); png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);