Denial of Service via Divide by Zero

[dns43]

Setting row_bytes to 0 may trigger undefined behavior or crash in the following line:
https://sourcegraph.com/github.com/glennrp/libpng@dbe3e0c43e549a1602286144d94b0666549b18e6/-/blob/pngrutil.c#L3172

[benkasminbullock]

In the link that you provided, row_factor is given before that as png_ptr->width multiplied by png_ptr->channels multiplied by 2 or 1 for the bit depth 16 or 8, then on the following line

https://sourcegraph.com/github.com/glennrp/libpng@dbe3e0c43e549a1602286144d94b0666549b18e6/-/blob/pngrutil.c#L3166

1 is added to that, so how can row_factor be zero, and what is this to do with row_bytes?

[dns43]

Sorry for the poor bug description!
The divide by zero can be caused by an integer overflow on 32bit systems (see casting to size_t)

(gdb) start
Temporary breakpoint 1 at 0x652: file libpng2.c, line 7.
Starting program: libpng2 
Temporary breakpoint 1, main () at libpng2.c:7
7           uint32_t w = 0x55555555;
(gdb) n
8           uint32_t c = 3;
(gdb) 
9           uint32_t d = 1;
(gdb) 
10          uint32_t i = 0;
(gdb) 
14               * (uint32_t) c
(gdb) 
15               * ( d > 8? 2: 1)
(gdb) 
17               + ( i ? 6: 0);
(gdb) 
12            uint32_t row_factor =
(gdb) 
19            printf(" %d\n" , row_factor);
(gdb) p row_factor 
$1 = 0

pixel->width is user controlled

channel can be set to 3 https://sourcegraph.com/github.com/glennrp/libpng@dbe3e0c43e549a1602286144d94b0666549b18e6/-/blob/pngrutil.c#L889

bit_depth can be set to 1
https://sourcegraph.com/github.com/glennrp/libpng@dbe3e0c43e549a1602286144d94b0666549b18e6/-/blob/png.c#L2622