diff options
author | Cosmin Truta <ctruta@gmail.com> | 2022-09-14 11:30:14 +0300 |
---|---|---|
committer | Cosmin Truta <ctruta@gmail.com> | 2022-09-14 11:30:14 +0300 |
commit | 62c027d4dfe166a81280e50eb8a6e67db63da695 (patch) | |
tree | 0234e1638b92bb103c6020896f2e6ea4b5af7c99 | |
parent | e9e9801a84f5bb053903654634b068dbee72db88 (diff) | |
download | libpng-62c027d4dfe166a81280e50eb8a6e67db63da695.tar.gz |
Fix handling incorrect hIST chunks of uneven size
The hIST chunks, used for storing image histograms, contain arrays of
16-bit unsigned integers, and the chunk size is expected to be an even
number. Raise a png_chunk_benign_error() if a hIST chunk fails to meet
this expectation.
Reported-by: Eugene Kliuchnikov <eustas@google.com>
-rw-r--r-- | pngrutil.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/pngrutil.c b/pngrutil.c index c4de582b8..3c7e0e62d 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -2123,8 +2123,9 @@ png_handle_hIST(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) num = length / 2 ; - if (num != (unsigned int) png_ptr->num_palette || - num > (unsigned int) PNG_MAX_PALETTE_LENGTH) + if (length != num * 2 || + num != (unsigned int)png_ptr->num_palette || + num > (unsigned int)PNG_MAX_PALETTE_LENGTH) { png_crc_finish(png_ptr, length); png_chunk_benign_error(png_ptr, "invalid"); |