Integer overflows in PNG image loading code #2790
img->xsize * img->ysize may overflow (CUPS_IMAGE_MAX_WIDTH and CUPS_IMAGE_MAX_HEIGHT are too big for multiplication).
malloc(img->xsize * img->ysize * 3) can result in a buffer that's too small. Also, the return codes of alot of the mallocs aren't checked, when a NULL pointer is passed to png_read_row, it may be possible to corrupt memory this way as well. I have a .png that does this.
If you need more information, please let me know.
The text was updated successfully, but these errors were encountered:
--- image-png.c (revision 7434)
if (color_type == PNG_COLOR_TYPE_GRAY ||
bpp = cupsImageGetDepth(img);