mirror of
https://git.code.sf.net/p/libpng/code.git
synced 2025-07-10 18:04:09 +02:00
92a7c79db2
The code now validates the ICC profile length against the user chunk limit before the buffer is allocated, as opposed to doing it while the buffer is read. This removes the potential to consume virtual address space with a carefully crafted ICC profile; only an issue on 32-bit systems where a valid profile can be up to 2^32-4 bytes in length. libpng never writes beyond the application supplied limit, but previously it did allocate a buffer of the size specified in the profile header. The exploitability of this is almost zero; the address space is released as soon as the PNG read completes. Also clean up PNG_DEBUG compile of pngtest.c. Signed-off-by: John Bowler <jbowler@acm.org>
1.0 KiB
1.0 KiB