wok annotate advancecomp/stuff/CVE-2019-8383.patch @ rev 24891

lynx: use ncursesw (tanks ceel)
author Pascal Bellard <pascal.bellard@slitaz.org>
date Thu Apr 07 07:20:18 2022 +0000 (2022-04-07)
parents
children
rev   line source
pascal@24695 1 commit 78a56b21340157775be2462a19276b4d31d2bd01
pascal@24695 2 Author: Andrea Mazzoleni <amadvance@gmail.com>
pascal@24695 3 Date: Fri Jan 4 20:49:25 2019 +0100
pascal@24695 4
pascal@24695 5 Fix a buffer overflow caused by invalid images
pascal@24695 6
pascal@24695 7 diff --git a/lib/png.c b/lib/png.c
pascal@24695 8 index 0939a5a..cbf140b 100644
pascal@24695 9 --- a/lib/png.c
pascal@24695 10 +++ b/lib/png.c
pascal@24695 11 @@ -603,6 +603,7 @@ adv_error adv_png_read_ihdr(
pascal@24695 12 unsigned pixel;
pascal@24695 13 unsigned width;
pascal@24695 14 unsigned width_align;
pascal@24695 15 + unsigned scanline;
pascal@24695 16 unsigned height;
pascal@24695 17 unsigned depth;
pascal@24695 18 int r;
pascal@24695 19 @@ -719,9 +720,23 @@ adv_error adv_png_read_ihdr(
pascal@24695 20 goto err_ptr;
pascal@24695 21 }
pascal@24695 22
pascal@24695 23 - *dat_size = height * (width_align * pixel + 1);
pascal@24695 24 + /* check for overflow */
pascal@24695 25 + if (pixel == 0 || width_align >= UINT_MAX / pixel) {
pascal@24695 26 + error_set("Invalid image size");
pascal@24695 27 + goto err_ptr;
pascal@24695 28 + }
pascal@24695 29 +
pascal@24695 30 + scanline = width_align * pixel + 1;
pascal@24695 31 +
pascal@24695 32 + /* check for overflow */
pascal@24695 33 + if (scanline == 0 || height >= UINT_MAX / scanline) {
pascal@24695 34 + error_set("Invalid image size");
pascal@24695 35 + goto err_ptr;
pascal@24695 36 + }
pascal@24695 37 +
pascal@24695 38 + *dat_size = height * scanline;
pascal@24695 39 *dat_ptr = malloc(*dat_size);
pascal@24695 40 - *pix_scanline = width_align * pixel + 1;
pascal@24695 41 + *pix_scanline = scanline;
pascal@24695 42 *pix_ptr = *dat_ptr + 1;
pascal@24695 43
pascal@24695 44 z.zalloc = 0;