diff options
| author | Robin Watts <Robin.Watts@artifex.com> | 2022-11-22 15:37:21 +0000 |
|---|---|---|
| committer | Robin Watts <Robin.Watts@artifex.com> | 2022-11-22 15:37:45 +0000 |
| commit | 77b39aadde69f7b8c544b0b60cb81ae4d26c4104 (patch) | |
| tree | 6b48e0102728f19e152f5812cdc1092f71877a94 /gpdl | |
| parent | 81762a230ddb26749536e2c1061e68cd28530c68 (diff) | |
| download | ghostpdl-77b39aadde69f7b8c544b0b60cb81ae4d26c4104.tar.gz | |
Bug 706048: Detect overflow in gpdl png handling.
Give an error, rather than setting ourselves up to fail later.
Diffstat (limited to 'gpdl')
| -rw-r--r-- | gpdl/pngtop.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/gpdl/pngtop.c b/gpdl/pngtop.c index db189dd04..0fcf821d0 100644 --- a/gpdl/pngtop.c +++ b/gpdl/pngtop.c @@ -590,6 +590,13 @@ do_impl_process(png_interp_instance_t *png, stream_cursor_read * pr, bool eof) break; } + if (SIZE_MAX / png->byte_width < (png->interlaced ? png->height : 1)) + { + code = gs_note_error(gs_error_VMerror); + png->state = ii_state_flush; + break; + } + png->samples = gs_alloc_bytes(png->memory, (size_t)png->byte_width * (png->interlaced ? png->height : 1), "png_impl_process(samples)"); |