wok view advancecomp/stuff/CVE-2019-8383.patch @ rev 24695
advancecomp: CVE-2019-8383 & CVE-2019-9210
| author | Pascal Bellard <pascal.bellard@slitaz.org> |
|---|---|
| date | Sun Mar 13 15:13:28 2022 +0000 (2022-03-13) |
| parents | |
| children |
line source
1 commit 78a56b21340157775be2462a19276b4d31d2bd01
2 Author: Andrea Mazzoleni <amadvance@gmail.com>
3 Date: Fri Jan 4 20:49:25 2019 +0100
5 Fix a buffer overflow caused by invalid images
7 diff --git a/lib/png.c b/lib/png.c
8 index 0939a5a..cbf140b 100644
9 --- a/lib/png.c
10 +++ b/lib/png.c
11 @@ -603,6 +603,7 @@ adv_error adv_png_read_ihdr(
12 unsigned pixel;
13 unsigned width;
14 unsigned width_align;
15 + unsigned scanline;
16 unsigned height;
17 unsigned depth;
18 int r;
19 @@ -719,9 +720,23 @@ adv_error adv_png_read_ihdr(
20 goto err_ptr;
21 }
23 - *dat_size = height * (width_align * pixel + 1);
24 + /* check for overflow */
25 + if (pixel == 0 || width_align >= UINT_MAX / pixel) {
26 + error_set("Invalid image size");
27 + goto err_ptr;
28 + }
29 +
30 + scanline = width_align * pixel + 1;
31 +
32 + /* check for overflow */
33 + if (scanline == 0 || height >= UINT_MAX / scanline) {
34 + error_set("Invalid image size");
35 + goto err_ptr;
36 + }
37 +
38 + *dat_size = height * scanline;
39 *dat_ptr = malloc(*dat_size);
40 - *pix_scanline = width_align * pixel + 1;
41 + *pix_scanline = scanline;
42 *pix_ptr = *dat_ptr + 1;
44 z.zalloc = 0;