25 lines
894 B
Diff
25 lines
894 B
Diff
Original Chromium patch for CVE-2011-3026.
|
|
|
|
|
|
diff -Naur libpng-1.2.46.orig/pngrutil.c libpng-1.2.46/pngrutil.c
|
|
--- libpng-1.2.46.orig/pngrutil.c 2011-07-09 06:30:23.000000000 -0400
|
|
+++ libpng-1.2.46/pngrutil.c 2012-02-16 10:28:14.433079740 -0500
|
|
@@ -363,8 +363,15 @@
|
|
{
|
|
/* Success (maybe) - really uncompress the chunk. */
|
|
png_size_t new_size = 0;
|
|
- png_charp text = png_malloc_warn(png_ptr,
|
|
- prefix_size + expanded_size + 1);
|
|
+ png_charp text = NULL;
|
|
+ /* Need to check for both truncation (64-bit platforms) and integer
|
|
+ * overflow.
|
|
+ */
|
|
+ if (prefix_size + expanded_size > prefix_size &&
|
|
+ prefix_size + expanded_size < 0xffffffffU)
|
|
+ {
|
|
+ text = png_malloc_warn(png_ptr, prefix_size + expanded_size + 1);
|
|
+ }
|
|
|
|
if (text != NULL)
|
|
{
|