diff options
| author | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2017-08-03 18:03:12 -0500 |
|---|---|---|
| committer | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2017-08-03 18:03:12 -0500 |
| commit | 2dbef2f2a9e759a80d2decb6862518acf4919c59 (patch) | |
| tree | 8d2a6c3e02bdb0f779448a9417980590ba00d634 /pngpread.c | |
| parent | 4ac8b5e0d6af292f524da820177aa8ada4433e44 (diff) | |
| download | libpng-2dbef2f2a9e759a80d2decb6862518acf4919c59.tar.gz | |
[libpng16] Restored IDAT length check. Previously the calculated limit was five
bytes too small (neglected to account for a partial DEFLATE buffer)
Diffstat (limited to 'pngpread.c')
| -rw-r--r-- | pngpread.c | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/pngpread.c b/pngpread.c index e61202add..c7721461a 100644 --- a/pngpread.c +++ b/pngpread.c @@ -226,7 +226,6 @@ png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr) if (chunk_name == png_IDAT) { -#if 0 /* some pngtests are failing */ size_t row_factor = (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1) + 1 + (png_ptr->interlaced? 6: 0)); @@ -234,11 +233,8 @@ png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr) limit=PNG_UINT_31_MAX; else limit = png_ptr->height * row_factor; - limit += 6 + 5*limit/32566; /* zlib+deflate overhead */ + limit += 6 + 5*(limit/32566+1); /* zlib+deflate overhead */ limit=limit < PNG_UINT_31_MAX? limit : PNG_UINT_31_MAX; -#else - limit=PNG_UINT_31_MAX; -#endif } else { @@ -253,7 +249,9 @@ png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr) } if (png_ptr->push_length > limit) { - png_debug2(1," png_ptr->push_length = %lu, limit = %lu", + printf(" png_ptr->push_length = %lu, limit = %lu\n", + (unsigned long)png_ptr->push_length,(unsigned long)limit); + png_debug2(0," png_ptr->push_length = %lu, limit = %lu", (unsigned long)png_ptr->push_length,(unsigned long)limit); png_chunk_error(png_ptr, "chunk data is too large"); } |