commit 78a56b21340157775be2462a19276b4d31d2bd01 Author: Andrea Mazzoleni Date: Fri Jan 4 20:49:25 2019 +0100 Fix a buffer overflow caused by invalid images diff --git a/lib/png.c b/lib/png.c index 0939a5a..cbf140b 100644 --- a/lib/png.c +++ b/lib/png.c @@ -603,6 +603,7 @@ adv_error adv_png_read_ihdr( unsigned pixel; unsigned width; unsigned width_align; + unsigned scanline; unsigned height; unsigned depth; int r; @@ -719,9 +720,23 @@ adv_error adv_png_read_ihdr( goto err_ptr; } - *dat_size = height * (width_align * pixel + 1); + /* check for overflow */ + if (pixel == 0 || width_align >= UINT_MAX / pixel) { + error_set("Invalid image size"); + goto err_ptr; + } + + scanline = width_align * pixel + 1; + + /* check for overflow */ + if (scanline == 0 || height >= UINT_MAX / scanline) { + error_set("Invalid image size"); + goto err_ptr; + } + + *dat_size = height * scanline; *dat_ptr = malloc(*dat_size); - *pix_scanline = width_align * pixel + 1; + *pix_scanline = scanline; *pix_ptr = *dat_ptr + 1; z.zalloc = 0; diff -up advancecomp-1.15/portable.h.me advancecomp-1.15/portable.h --- advancecomp-1.15/portable.h.me 2019-05-17 15:15:08.109528451 +0200 +++ advancecomp-1.15/portable.h 2019-05-17 15:15:38.318620937 +0200 @@ -39,6 +39,7 @@ extern "C" { #include #include #include +#include #if HAVE_UNISTD_H #include