diff options
author | Dave Burke <daveburke@google.com> | 2012-03-05 22:36:13 -0800 |
---|---|---|
committer | Selim Gurun <sgurun@google.com> | 2012-03-15 13:42:50 -0700 |
commit | 07fde26d99f1da11fc514b2aeef7ae0620f85a63 (patch) | |
tree | 2ea44343e9c8d62a3791b01bd14e9facf889dd2d | |
parent | 17b24482db9fb75020b91a9c17f2014beebc86ed (diff) | |
download | external_libpng-07fde26d99f1da11fc514b2aeef7ae0620f85a63.zip external_libpng-07fde26d99f1da11fc514b2aeef7ae0620f85a63.tar.gz external_libpng-07fde26d99f1da11fc514b2aeef7ae0620f85a63.tar.bz2 |
DO NOT MERGE Fix for CVE-2011-3026
Bug: 6085440
Note that this fix was borrowed from chromium and that the
issue was fixed in 1.2.47 of libpng (using a different approach).
Cherry pick from ccee121fae4c60a5dee6fce51195185694c376c3
Change-Id: I65f4ad400563f7e27ee73872f9c16f3ae4c8644d
-rw-r--r-- | pngrutil.c | 10 |
1 files changed, 8 insertions, 2 deletions
@@ -380,8 +380,14 @@ png_decompress_chunk(png_structp png_ptr, int comp_type, { /* Success (maybe) - really uncompress the chunk. */ png_size_t new_size = 0; - png_charp text = png_malloc_warn(png_ptr, - prefix_size + expanded_size + 1); + png_charp text = NULL; + + /* Need to check for both truncation (64-bit) and integer overflow. */ + if (prefix_size + expanded_size > prefix_size && + prefix_size + expanded_size < 0xffffffffU) + { + text = png_malloc_warn(png_ptr, prefix_size + expanded_size + 1); + } if (text != NULL) { |