Updated patch from https://bugzilla.redhat.com/show_bug.cgi?id=509531#c11
This commit is contained in:
parent
9294690bdb
commit
7d394c8034
@ -1,6 +1,15 @@
|
||||
--- camlimages-3.0.1/src/pngread.c 2007-01-18 10:29:57.000000000 +0000
|
||||
+++ camlimages-3.0.1-oversized-png-checks/src/pngread.c 2009-07-03 14:19:42.000000000 +0100
|
||||
@@ -26,6 +26,12 @@
|
||||
--- camlimages-3.0.1.orig/src/pngread.c 2007-01-18 10:29:57.000000000 +0000
|
||||
+++ camlimages-3.0.1.oversized/src/pngread.c 2009-07-03 15:51:00.000000000 +0100
|
||||
@@ -15,6 +15,8 @@
|
||||
#include "config.h"
|
||||
#endif
|
||||
|
||||
+#include <limits.h>
|
||||
+
|
||||
#include <png.h>
|
||||
|
||||
#include <caml/mlvalues.h>
|
||||
@@ -26,6 +28,12 @@
|
||||
#define PNG_TAG_INDEX16 2
|
||||
#define PNG_TAG_INDEX4 3
|
||||
|
||||
@ -8,12 +17,12 @@
|
||||
+ * arithmetic overflow.
|
||||
+ */
|
||||
+#define oversized(x, y) \
|
||||
+ ((x) < 0 || (y) < 0 || (x) * (y) < (x) || (x) * (y) < (y))
|
||||
+ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
|
||||
+
|
||||
value read_png_file_as_rgb24( name )
|
||||
value name;
|
||||
{
|
||||
@@ -81,6 +87,9 @@
|
||||
@@ -81,6 +89,9 @@
|
||||
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
|
||||
&interlace_type, NULL, NULL);
|
||||
|
||||
@ -23,7 +32,7 @@
|
||||
if ( color_type == PNG_COLOR_TYPE_GRAY ||
|
||||
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
|
||||
png_set_gray_to_rgb(png_ptr);
|
||||
@@ -102,6 +111,9 @@
|
||||
@@ -102,10 +113,16 @@
|
||||
|
||||
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
|
||||
|
||||
@ -33,7 +42,14 @@
|
||||
{
|
||||
int i;
|
||||
png_bytep *row_pointers;
|
||||
@@ -235,6 +247,9 @@
|
||||
|
||||
+ if (oversized (sizeof (png_bytep), height))
|
||||
+ failwith ("png error: image contains oversized or bogus height");
|
||||
+
|
||||
row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height);
|
||||
|
||||
res = alloc_tuple(3);
|
||||
@@ -235,6 +252,9 @@
|
||||
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
|
||||
&interlace_type, NULL, NULL);
|
||||
|
||||
@ -43,7 +59,7 @@
|
||||
if ( color_type == PNG_COLOR_TYPE_GRAY ||
|
||||
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
|
||||
png_set_gray_to_rgb(png_ptr);
|
||||
@@ -251,6 +266,9 @@
|
||||
@@ -251,6 +271,9 @@
|
||||
|
||||
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
|
||||
|
||||
@ -53,3 +69,13 @@
|
||||
/*
|
||||
fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr);
|
||||
*/
|
||||
@@ -259,6 +282,9 @@
|
||||
png_bytep *row_pointers;
|
||||
char mesg[256];
|
||||
|
||||
+ if (oversized (sizeof (png_bytep), height))
|
||||
+ failwith ("png error: image contains oversized or bogus height");
|
||||
+
|
||||
row_pointers = (png_bytep*)stat_alloc(sizeof(png_bytep) * height);
|
||||
res = alloc_tuple(3);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user