diff options
| author | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2017-08-04 14:09:27 -0500 |
|---|---|---|
| committer | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2017-08-04 14:09:27 -0500 |
| commit | 2dca15686fadb1b8951cb29b02bad4cae73448da (patch) | |
| tree | 1d532d1ae89b5d0d3e67417d5e2f87d9a1eb4b92 /pngrutil.c | |
| parent | 469317d9bd4d5ca442b32949fa26abcef16948b8 (diff) | |
[libpng16] Moved chunk-length check into a png_check_chunk_length() private
function (Suggested by Max Stepin).
Diffstat (limited to 'pngrutil.c')
| -rw-r--r-- | pngrutil.c | 70 |
1 files changed, 39 insertions, 31 deletions
diff --git a/pngrutil.c b/pngrutil.c index 476837700..b744a51d9 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -157,7 +157,6 @@ png_read_chunk_header(png_structrp png_ptr) { png_byte buf[8]; png_uint_32 length; - png_alloc_size_t limit = PNG_UINT_31_MAX; #ifdef PNG_IO_STATE_SUPPORTED png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_HDR; @@ -183,36 +182,7 @@ png_read_chunk_header(png_structrp png_ptr) png_check_chunk_name(png_ptr, png_ptr->chunk_name); /* Check for too-large chunk length */ - if (png_ptr->chunk_name != png_IDAT) - { -# ifdef PNG_SET_USER_LIMITS_SUPPORTED - if (png_ptr->user_chunk_malloc_max > 0 && - png_ptr->user_chunk_malloc_max < limit) - limit = png_ptr->user_chunk_malloc_max; -# elif PNG_USER_CHUNK_MALLOC_MAX > 0 - if (PNG_USER_CHUNK_MALLOC_MAX < limit) - limit = PNG_USER_CHUNK_MALLOC_MAX; -# endif - } - else - { - size_t row_factor = - (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1) - + 1 + (png_ptr->interlaced? 6: 0)); - if (png_ptr->height > PNG_UINT_32_MAX/row_factor) - limit=PNG_UINT_31_MAX; - else - limit = png_ptr->height * row_factor; - limit += 6 + 5*(limit/32566+1); /* zlib+deflate overhead */ - limit=limit < PNG_UINT_31_MAX? limit : PNG_UINT_31_MAX; - } - - if (length > limit) - { - png_debug2(0," length = %lu, limit = %lu", - (unsigned long)length,(unsigned long)limit); - png_chunk_error(png_ptr, "chunk data is too large"); - } + png_check_chunk_length(png_ptr, png_ptr->chunk_name, length); #ifdef PNG_IO_STATE_SUPPORTED png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_DATA; @@ -3134,6 +3104,44 @@ png_check_chunk_name(png_structrp png_ptr, png_uint_32 chunk_name) } } +void /* PRIVATE */ +png_check_chunk_length(png_structrp png_ptr, png_uint_32 chunk_name, + png_uint_32 length) +{ + png_alloc_size_t limit = PNG_UINT_31_MAX; + + if (png_ptr->chunk_name != png_IDAT) + { +# ifdef PNG_SET_USER_LIMITS_SUPPORTED + if (png_ptr->user_chunk_malloc_max > 0 && + png_ptr->user_chunk_malloc_max < limit) + limit = png_ptr->user_chunk_malloc_max; +# elif PNG_USER_CHUNK_MALLOC_MAX > 0 + if (PNG_USER_CHUNK_MALLOC_MAX < limit) + limit = PNG_USER_CHUNK_MALLOC_MAX; +# endif + } + else + { + size_t row_factor = + (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1) + + 1 + (png_ptr->interlaced? 6: 0)); + if (png_ptr->height > PNG_UINT_32_MAX/row_factor) + limit=PNG_UINT_31_MAX; + else + limit = png_ptr->height * row_factor; + limit += 6 + 5*(limit/32566+1); /* zlib+deflate overhead */ + limit=limit < PNG_UINT_31_MAX? limit : PNG_UINT_31_MAX; + } + + if (length > limit) + { + png_debug2(0," length = %lu, limit = %lu", + (unsigned long)length,(unsigned long)limit); + png_chunk_error(png_ptr, "chunk data is too large"); + } +} + /* Combines the row recently read in with the existing pixels in the row. This * routine takes care of alpha and transparency if requested. This routine also * handles the two methods of progressive display of interlaced images, |