84 lines
2.5 KiB
Diff
84 lines
2.5 KiB
Diff
--- camlimages-2.2.orig/png/pngread.c 2002-03-26 13:15:10.000000000 +0000
|
|
+++ camlimages-2.2.png/png/pngread.c 2009-10-16 10:46:07.759508515 +0100
|
|
@@ -13,6 +13,8 @@
|
|
/***********************************************************************/
|
|
#include <config.h>
|
|
|
|
+#include <limits.h>
|
|
+
|
|
#if HAVE_PNG
|
|
#include <png.h>
|
|
#endif
|
|
@@ -33,6 +35,12 @@
|
|
#define PNG_TAG_INDEX16 2
|
|
#define PNG_TAG_INDEX4 3
|
|
|
|
+/* Test if x or y are negative, or if multiplying x * y would cause an
|
|
+ * arithmetic overflow.
|
|
+ */
|
|
+#define oversized(x, y) \
|
|
+ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
|
|
+
|
|
value read_png_file_as_rgb24( name )
|
|
value name;
|
|
{
|
|
@@ -88,6 +96,9 @@
|
|
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
|
|
&interlace_type, NULL, NULL);
|
|
|
|
+ if (oversized (width, height))
|
|
+ failwith ("png error: image contains oversized or bogus width and height");
|
|
+
|
|
if ( color_type == PNG_COLOR_TYPE_GRAY ||
|
|
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
|
|
png_set_gray_to_rgb(png_ptr);
|
|
@@ -109,10 +120,16 @@
|
|
|
|
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
|
|
|
|
+ if (oversized (rowbytes, height))
|
|
+ failwith ("png error: image contains oversized or bogus rowbytes and height");
|
|
+
|
|
{
|
|
int i;
|
|
png_bytep *row_pointers;
|
|
|
|
+ if (oversized (sizeof (png_bytep), height))
|
|
+ failwith ("png error: image contains oversized or bogus height");
|
|
+
|
|
row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height);
|
|
|
|
res = alloc_tuple(3);
|
|
@@ -242,6 +259,9 @@
|
|
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
|
|
&interlace_type, NULL, NULL);
|
|
|
|
+ if (oversized (width, height))
|
|
+ failwith ("png error: image contains oversized or bogus width and height");
|
|
+
|
|
if ( color_type == PNG_COLOR_TYPE_GRAY ||
|
|
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
|
|
png_set_gray_to_rgb(png_ptr);
|
|
@@ -258,6 +278,9 @@
|
|
|
|
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
|
|
|
|
+ if (oversized (rowbytes, height))
|
|
+ failwith ("png error: image contains oversized or bogus rowbytes and height");
|
|
+
|
|
/*
|
|
fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr);
|
|
*/
|
|
@@ -265,7 +288,10 @@
|
|
int i;
|
|
png_bytep *row_pointers;
|
|
char mesg[256];
|
|
-
|
|
+
|
|
+ if (oversized (sizeof (png_bytep), height))
|
|
+ failwith ("png error: image contains oversized or bogus height");
|
|
+
|
|
row_pointers = (png_bytep*)stat_alloc(sizeof(png_bytep) * height);
|
|
res = alloc_tuple(3);
|
|
|