wok view advancecomp/stuff/CVE-2019-8383.patch @ rev 24793

updated libgpg-error and libgpg-error-dev (1.37 -> 1.44)
author Hans-G?nter Theisgen
date Mon Mar 21 15:45:38 2022 +0100 (2022-03-21)
parents
children
line source
1 commit 78a56b21340157775be2462a19276b4d31d2bd01
2 Author: Andrea Mazzoleni <amadvance@gmail.com>
3 Date: Fri Jan 4 20:49:25 2019 +0100
5 Fix a buffer overflow caused by invalid images
7 diff --git a/lib/png.c b/lib/png.c
8 index 0939a5a..cbf140b 100644
9 --- a/lib/png.c
10 +++ b/lib/png.c
11 @@ -603,6 +603,7 @@ adv_error adv_png_read_ihdr(
12 unsigned pixel;
13 unsigned width;
14 unsigned width_align;
15 + unsigned scanline;
16 unsigned height;
17 unsigned depth;
18 int r;
19 @@ -719,9 +720,23 @@ adv_error adv_png_read_ihdr(
20 goto err_ptr;
21 }
23 - *dat_size = height * (width_align * pixel + 1);
24 + /* check for overflow */
25 + if (pixel == 0 || width_align >= UINT_MAX / pixel) {
26 + error_set("Invalid image size");
27 + goto err_ptr;
28 + }
29 +
30 + scanline = width_align * pixel + 1;
31 +
32 + /* check for overflow */
33 + if (scanline == 0 || height >= UINT_MAX / scanline) {
34 + error_set("Invalid image size");
35 + goto err_ptr;
36 + }
37 +
38 + *dat_size = height * scanline;
39 *dat_ptr = malloc(*dat_size);
40 - *pix_scanline = width_align * pixel + 1;
41 + *pix_scanline = scanline;
42 *pix_ptr = *dat_ptr + 1;
44 z.zalloc = 0;