diff options
Diffstat (limited to 'base')
| -rw-r--r-- | base/gfx/png_decoder.cc | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/base/gfx/png_decoder.cc b/base/gfx/png_decoder.cc index 1a45057..e493464 100644 --- a/base/gfx/png_decoder.cc +++ b/base/gfx/png_decoder.cc @@ -51,9 +51,6 @@ const double kMaxGamma = 21474.83; // Maximum gamma accepted by png library. const double kDefaultGamma = 2.2; const double kInverseGamma = 1.0 / kDefaultGamma; -// Maximum pixel dimension we'll try to decode. -const png_uint_32 kMaxSize = 4096; - class PngDecoderState { public: PngDecoderState(PNGDecoder::ColorFormat ofmt, std::vector<unsigned char>* o) @@ -123,8 +120,13 @@ void DecodeInfoCallback(png_struct* png_ptr, png_info* info_ptr) { &interlace_type, &compression_type, &filter_type); // Bounds check. When the image is unreasonably big, we'll error out and - // end up back at the setjmp call when we set up decoding. - if (w > kMaxSize || h > kMaxSize) + // end up back at the setjmp call when we set up decoding. "Unreasonably big" + // means "big enough that w * h * 32bpp might overflow an int"; we choose this + // threshold to match WebKit and because a number of places in code assume + // that an image's size (in bytes) fits in a (signed) int. + unsigned long long total_size = + static_cast<unsigned long long>(w) * static_cast<unsigned long long>(h); + if (total_size > ((1 << 29) - 1)) longjmp(png_ptr->jmpbuf, 1); state->width = static_cast<int>(w); state->height = static_cast<int>(h); |