wok annotate advancecomp/stuff/CVE-2019-8383.patch @ rev 24924
Add as & asxxxx
author | Pascal Bellard <pascal.bellard@slitaz.org> |
---|---|
date | Wed Apr 13 10:27:34 2022 +0000 (2022-04-13) |
parents | |
children |
rev | line source |
---|---|
pascal@24695 | 1 commit 78a56b21340157775be2462a19276b4d31d2bd01 |
pascal@24695 | 2 Author: Andrea Mazzoleni <amadvance@gmail.com> |
pascal@24695 | 3 Date: Fri Jan 4 20:49:25 2019 +0100 |
pascal@24695 | 4 |
pascal@24695 | 5 Fix a buffer overflow caused by invalid images |
pascal@24695 | 6 |
pascal@24695 | 7 diff --git a/lib/png.c b/lib/png.c |
pascal@24695 | 8 index 0939a5a..cbf140b 100644 |
pascal@24695 | 9 --- a/lib/png.c |
pascal@24695 | 10 +++ b/lib/png.c |
pascal@24695 | 11 @@ -603,6 +603,7 @@ adv_error adv_png_read_ihdr( |
pascal@24695 | 12 unsigned pixel; |
pascal@24695 | 13 unsigned width; |
pascal@24695 | 14 unsigned width_align; |
pascal@24695 | 15 + unsigned scanline; |
pascal@24695 | 16 unsigned height; |
pascal@24695 | 17 unsigned depth; |
pascal@24695 | 18 int r; |
pascal@24695 | 19 @@ -719,9 +720,23 @@ adv_error adv_png_read_ihdr( |
pascal@24695 | 20 goto err_ptr; |
pascal@24695 | 21 } |
pascal@24695 | 22 |
pascal@24695 | 23 - *dat_size = height * (width_align * pixel + 1); |
pascal@24695 | 24 + /* check for overflow */ |
pascal@24695 | 25 + if (pixel == 0 || width_align >= UINT_MAX / pixel) { |
pascal@24695 | 26 + error_set("Invalid image size"); |
pascal@24695 | 27 + goto err_ptr; |
pascal@24695 | 28 + } |
pascal@24695 | 29 + |
pascal@24695 | 30 + scanline = width_align * pixel + 1; |
pascal@24695 | 31 + |
pascal@24695 | 32 + /* check for overflow */ |
pascal@24695 | 33 + if (scanline == 0 || height >= UINT_MAX / scanline) { |
pascal@24695 | 34 + error_set("Invalid image size"); |
pascal@24695 | 35 + goto err_ptr; |
pascal@24695 | 36 + } |
pascal@24695 | 37 + |
pascal@24695 | 38 + *dat_size = height * scanline; |
pascal@24695 | 39 *dat_ptr = malloc(*dat_size); |
pascal@24695 | 40 - *pix_scanline = width_align * pixel + 1; |
pascal@24695 | 41 + *pix_scanline = scanline; |
pascal@24695 | 42 *pix_ptr = *dat_ptr + 1; |
pascal@24695 | 43 |
pascal@24695 | 44 z.zalloc = 0; |