d9e85c6bb0
git-svn-id: svn://svn.openwrt.org/openwrt/packages@30633 3c298f89-4303-0410-b956-a3cf2f4a3e73
41 lines
1.5 KiB
Diff
41 lines
1.5 KiB
Diff
--- a/pngrutil.c
|
|
+++ b/pngrutil.c
|
|
@@ -339,15 +339,18 @@ png_decompress_chunk(png_structp png_ptr
|
|
/* Now check the limits on this chunk - if the limit fails the
|
|
* compressed data will be removed, the prefix will remain.
|
|
*/
|
|
+ if (prefix_size >= (~(png_size_t)0) - 1 ||
|
|
+ expanded_size >= (~(png_size_t)0) - 1 - prefix_size
|
|
#ifdef PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED
|
|
- if (png_ptr->user_chunk_malloc_max &&
|
|
+ || (png_ptr->user_chunk_malloc_max &&
|
|
(prefix_size + expanded_size >= png_ptr->user_chunk_malloc_max - 1))
|
|
#else
|
|
# ifdef PNG_USER_CHUNK_MALLOC_MAX
|
|
- if ((PNG_USER_CHUNK_MALLOC_MAX > 0) &&
|
|
+ || ((PNG_USER_CHUNK_MALLOC_MAX > 0) &&
|
|
prefix_size + expanded_size >= PNG_USER_CHUNK_MALLOC_MAX - 1)
|
|
# endif
|
|
#endif
|
|
+ )
|
|
png_warning(png_ptr, "Exceeded size limit while expanding chunk");
|
|
|
|
/* If the size is zero either there was an error and a message
|
|
@@ -355,14 +358,11 @@ png_decompress_chunk(png_structp png_ptr
|
|
* and we have nothing to do - the code will exit through the
|
|
* error case below.
|
|
*/
|
|
-#if defined(PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED) || \
|
|
- defined(PNG_USER_CHUNK_MALLOC_MAX)
|
|
- else
|
|
-#endif
|
|
- if (expanded_size > 0)
|
|
+ else if (expanded_size > 0)
|
|
{
|
|
/* Success (maybe) - really uncompress the chunk. */
|
|
png_size_t new_size = 0;
|
|
+
|
|
png_charp text = png_malloc_warn(png_ptr,
|
|
prefix_size + expanded_size + 1);
|
|
|