35 lines
1.2 KiB
Diff
35 lines
1.2 KiB
Diff
From 1748e52e41b7bd8bde8cc917053c39bd6849c17d Mon Sep 17 00:00:00 2001
|
|
From: Cosmin Truta <ctruta@gmail.com>
|
|
Date: Sun, 17 Jun 2018 22:56:29 -0400
|
|
Subject: [PATCH] Fix the calculation of row_factor in png_check_chunk_length
|
|
|
|
(Bug report by Thuan Pham, SourceForge issue #278)
|
|
---
|
|
pngrutil.c | 9 ++++++---
|
|
1 file changed, 6 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/pngrutil.c b/pngrutil.c
|
|
index d5a344d..1e90863 100644
|
|
--- a/pngrutil.c
|
|
+++ b/pngrutil.c
|
|
@@ -2839,10 +2839,13 @@ png_check_chunk_length(png_structp png_ptr, png_uint_32 length)
|
|
{
|
|
png_alloc_size_t idat_limit = PNG_UINT_31_MAX;
|
|
size_t row_factor =
|
|
- (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
|
|
- + 1 + (png_ptr->interlaced? 6: 0));
|
|
+ (size_t)png_ptr->width
|
|
+ * (size_t)png_ptr->channels
|
|
+ * (png_ptr->bit_depth > 8? 2: 1)
|
|
+ + 1
|
|
+ + (png_ptr->interlaced? 6: 0);
|
|
if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
|
|
- idat_limit=PNG_UINT_31_MAX;
|
|
+ idat_limit = PNG_UINT_31_MAX;
|
|
else
|
|
idat_limit = png_ptr->height * row_factor;
|
|
row_factor = row_factor > 32566? 32566 : row_factor;
|
|
--
|
|
2.17.1
|
|
|