Fix handling incorrect hIST chunks of uneven size

The hIST chunks, used for storing image histograms, contain arrays of 16-bit unsigned integers, and the chunk size is expected to be an even number. Raise a png_chunk_benign_error() if a hIST chunk fails to meet this expectation. Reported-by: Eugene Kliuchnikov <eustas@google.com>
author: Cosmin Truta <ctruta@gmail.com> 2022-09-14 11:30:14 +0300
committer: Cosmin Truta <ctruta@gmail.com> 2022-09-14 11:30:14 +0300
commit: 62c027d4dfe166a81280e50eb8a6e67db63da695 (patch)
tree: 0234e1638b92bb103c6020896f2e6ea4b5af7c99
parent: e9e9801a84f5bb053903654634b068dbee72db88 (diff)
download: libpng-62c027d4dfe166a81280e50eb8a6e67db63da695.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/pngrutil.c b/pngrutil.c
index c4de582b8..3c7e0e62d 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -2123,8 +2123,9 @@ png_handle_hIST(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
 
    num = length / 2 ;
 
-   if (num != (unsigned int) png_ptr->num_palette ||
-       num > (unsigned int) PNG_MAX_PALETTE_LENGTH)
+   if (length != num * 2 ||
+       num != (unsigned int)png_ptr->num_palette ||
+       num > (unsigned int)PNG_MAX_PALETTE_LENGTH)
    {
       png_crc_finish(png_ptr, length);
       png_chunk_benign_error(png_ptr, "invalid");
author	Cosmin Truta <ctruta@gmail.com>	2022-09-14 11:30:14 +0300
committer	Cosmin Truta <ctruta@gmail.com>	2022-09-14 11:30:14 +0300
commit	62c027d4dfe166a81280e50eb8a6e67db63da695 (patch)
tree	0234e1638b92bb103c6020896f2e6ea4b5af7c99
parent	e9e9801a84f5bb053903654634b068dbee72db88 (diff)
download	libpng-62c027d4dfe166a81280e50eb8a6e67db63da695.tar.gz