Skip to content

Commit

Permalink
Fix integer overflow in rwpng.h (CVE-2016-5735)
Browse files Browse the repository at this point in the history
Reported by Choi Jaeseung 
Found with Sparrow (http://ropas.snu.ac.kr/sparrow)
  • Loading branch information
kornelski committed Jun 23, 2016
1 parent 350c3a4 commit b7c2176
Showing 1 changed file with 6 additions and 6 deletions.
12 changes: 6 additions & 6 deletions rwpng.c
Original file line number Diff line number Diff line change
Expand Up @@ -244,12 +244,6 @@ static pngquant_error rwpng_read_image24_libpng(FILE *infile, png24_image *mainp
png_get_IHDR(png_ptr, info_ptr, &mainprog_ptr->width, &mainprog_ptr->height,
&bit_depth, &color_type, NULL, NULL, NULL);

// For overflow safety reject images that won't fit in 32-bit
if (mainprog_ptr->width > INT_MAX/mainprog_ptr->height) {
png_destroy_read_struct(&png_ptr, &info_ptr, NULL);
return PNG_OUT_OF_MEMORY_ERROR; /* not quite true, but whatever */
}

/* expand palette images to RGB, low-bit-depth grayscale images to 8 bits,
* transparency chunks to full alpha channel; strip 16-bit-per-sample
* images to 8 bits per sample; and convert grayscale to RGB[A] */
Expand Down Expand Up @@ -304,6 +298,12 @@ static pngquant_error rwpng_read_image24_libpng(FILE *infile, png24_image *mainp

rowbytes = png_get_rowbytes(png_ptr, info_ptr);

// For overflow safety reject images that won't fit in 32-bit
if (rowbytes > INT_MAX/mainprog_ptr->height) {
png_destroy_read_struct(&png_ptr, &info_ptr, NULL);
return PNG_OUT_OF_MEMORY_ERROR;
}

if ((mainprog_ptr->rgba_data = malloc(rowbytes * mainprog_ptr->height)) == NULL) {
fprintf(stderr, "pngquant readpng: unable to allocate image data\n");
png_destroy_read_struct(&png_ptr, &info_ptr, NULL);
Expand Down

0 comments on commit b7c2176

Please sign in to comment.