From 62c027d4dfe166a81280e50eb8a6e67db63da695 Mon Sep 17 00:00:00 2001
From: Cosmin Truta <ctruta@gmail.com>
Date: Wed, 14 Sep 2022 11:30:14 +0300
Subject: Fix handling incorrect hIST chunks of uneven size

The hIST chunks, used for storing image histograms, contain arrays of
16-bit unsigned integers, and the chunk size is expected to be an even
number. Raise a png_chunk_benign_error() if a hIST chunk fails to meet
this expectation.

Reported-by: Eugene Kliuchnikov <eustas@google.com>
---
 pngrutil.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/pngrutil.c b/pngrutil.c
index c4de582b8..3c7e0e62d 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -2123,8 +2123,9 @@ png_handle_hIST(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
 
    num = length / 2 ;
 
-   if (num != (unsigned int) png_ptr->num_palette ||
-       num > (unsigned int) PNG_MAX_PALETTE_LENGTH)
+   if (length != num * 2 ||
+       num != (unsigned int)png_ptr->num_palette ||
+       num > (unsigned int)PNG_MAX_PALETTE_LENGTH)
    {
       png_crc_finish(png_ptr, length);
       png_chunk_benign_error(png_ptr, "invalid");
-- 
cgit v1.2.1