Skip to content
Permalink
Browse files Browse the repository at this point in the history
[libpng16] Fix the calculation of row_factor in png_check_chunk_length
(Bug report by Thuan Pham, SourceForge issue #278)
  • Loading branch information
ctruta committed Jun 18, 2018
1 parent a74aa9a commit 8a05766
Showing 1 changed file with 6 additions and 3 deletions.
9 changes: 6 additions & 3 deletions pngrutil.c
Expand Up @@ -3167,10 +3167,13 @@ png_check_chunk_length(png_const_structrp png_ptr, const png_uint_32 length)
{
png_alloc_size_t idat_limit = PNG_UINT_31_MAX;
size_t row_factor =
(png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
+ 1 + (png_ptr->interlaced? 6: 0));
(size_t)png_ptr->width
* (size_t)png_ptr->channels
* (png_ptr->bit_depth > 8? 2: 1)
+ 1
+ (png_ptr->interlaced? 6: 0);

This comment has been minimized.

Copy link
@dgutson

dgutson Jul 12, 2018

You can still get a 0 with the following values:

png_ptr->width = (size_t)-1;
png_ptr->channels = 1;
png_ptr->bit_depth = 1;
png_ptr->interlaced = 0;
if (png_ptr->height > PNG_UINT_32_MAX/row_factor)

This comment has been minimized.

Copy link
@dgutson

dgutson Jul 12, 2018

..so I suggest to add a sanitizing check here that row_factor > 0 before doing the division.

idat_limit=PNG_UINT_31_MAX;
idat_limit = PNG_UINT_31_MAX;
else
idat_limit = png_ptr->height * row_factor;
row_factor = row_factor > 32566? 32566 : row_factor;
Expand Down

1 comment on commit 8a05766

@ctruta
Copy link
Collaborator Author

@ctruta ctruta commented on 8a05766 Jul 16, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The width cannot exceed PNG_UINT_31_MAX, so adding +1 here is safe.

Please sign in to comment.