56 lines
1.7 KiB
Diff
56 lines
1.7 KiB
Diff
|
--- camlimages-3.0.1/src/pngread.c 2007-01-18 10:29:57.000000000 +0000
|
||
|
+++ camlimages-3.0.1-oversized-png-checks/src/pngread.c 2009-07-03 14:19:42.000000000 +0100
|
||
|
@@ -26,6 +26,12 @@
|
||
|
#define PNG_TAG_INDEX16 2
|
||
|
#define PNG_TAG_INDEX4 3
|
||
|
|
||
|
+/* Test if x or y are negative, or if multiplying x * y would cause an
|
||
|
+ * arithmetic overflow.
|
||
|
+ */
|
||
|
+#define oversized(x, y) \
|
||
|
+ ((x) < 0 || (y) < 0 || (x) * (y) < (x) || (x) * (y) < (y))
|
||
|
+
|
||
|
value read_png_file_as_rgb24( name )
|
||
|
value name;
|
||
|
{
|
||
|
@@ -81,6 +87,9 @@
|
||
|
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
|
||
|
&interlace_type, NULL, NULL);
|
||
|
|
||
|
+ if (oversized (width, height))
|
||
|
+ failwith ("png error: image contains oversized or bogus width and height");
|
||
|
+
|
||
|
if ( color_type == PNG_COLOR_TYPE_GRAY ||
|
||
|
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
|
||
|
png_set_gray_to_rgb(png_ptr);
|
||
|
@@ -102,6 +111,9 @@
|
||
|
|
||
|
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
|
||
|
|
||
|
+ if (oversized (rowbytes, height))
|
||
|
+ failwith ("png error: image contains oversized or bogus rowbytes and height");
|
||
|
+
|
||
|
{
|
||
|
int i;
|
||
|
png_bytep *row_pointers;
|
||
|
@@ -235,6 +247,9 @@
|
||
|
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
|
||
|
&interlace_type, NULL, NULL);
|
||
|
|
||
|
+ if (oversized (width, height))
|
||
|
+ failwith ("png error: image contains oversized or bogus width and height");
|
||
|
+
|
||
|
if ( color_type == PNG_COLOR_TYPE_GRAY ||
|
||
|
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
|
||
|
png_set_gray_to_rgb(png_ptr);
|
||
|
@@ -251,6 +266,9 @@
|
||
|
|
||
|
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
|
||
|
|
||
|
+ if (oversized (rowbytes, height))
|
||
|
+ failwith ("png error: image contains oversized or bogus rowbytes and height");
|
||
|
+
|
||
|
/*
|
||
|
fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr);
|
||
|
*/
|