diff options
Diffstat (limited to 'libpng/contrib/gregbook/readppm.c')
-rw-r--r-- | libpng/contrib/gregbook/readppm.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/libpng/contrib/gregbook/readppm.c b/libpng/contrib/gregbook/readppm.c index 7fefc3943..52e702777 100644 --- a/libpng/contrib/gregbook/readppm.c +++ b/libpng/contrib/gregbook/readppm.c @@ -9,7 +9,7 @@ --------------------------------------------------------------------------- - Copyright (c) 1998-2007 Greg Roelofs. All rights reserved. + Copyright (c) 1998-2007,2017 Greg Roelofs. All rights reserved. This software is provided "as is," without warranty of any kind, express or implied. In no event shall the author or contributors @@ -154,12 +154,17 @@ uch *readpng_get_image(double display_exponent, int *pChannels, ulg *pRowbytes) *pRowbytes = rowbytes = channels*width; *pChannels = channels; - if ((image_data = (uch *)malloc(rowbytes*height)) == NULL) { + Trace((stderr, "readpng_get_image: rowbytes = %ld, height = %ld\n", rowbytes, height)); + + /* Guard against integer overflow */ + if (height > ((size_t)(-1))/rowbytes) { + fprintf(stderr, PROGNAME ": image_data buffer would be too large\n", return NULL; } - Trace((stderr, "readpng_get_image: rowbytes = %ld, height = %ld\n", rowbytes, height)); - + if ((image_data = (uch *)malloc(rowbytes*height)) == NULL) { + return NULL; + } /* now we can go ahead and just read the whole image */ |