1 |
From 7139f3cf7c8bc576bea1dbd07c58ce1ad92b774a Mon Sep 17 00:00:00 2001 |
2 |
From: Matthias Kramm <kramm@quiss.org> |
3 |
Date: Wed, 26 Apr 2017 09:02:20 -0700 |
4 |
Subject: [PATCH] Fix an integer overflow issue in png.c |
5 |
|
6 |
This aims to fix https://github.com/matthiaskramm/swftools/issues/13 |
7 |
--- |
8 |
lib/png.c | 8 ++++++-- |
9 |
1 file changed, 6 insertions(+), 2 deletions(-) |
10 |
|
11 |
diff --git a/lib/png.c b/lib/png.c |
12 |
index 66eebb44..44a4b425 100644 |
13 |
--- a/lib/png.c |
14 |
+++ b/lib/png.c |
15 |
@@ -575,8 +575,12 @@ EXPORT int png_load(const char*sname, unsigned*destwidth, unsigned*destheight, u |
16 |
|
17 |
*destwidth = header.width; |
18 |
*destheight = header.height; |
19 |
- |
20 |
- data2 = (unsigned char*)malloc(header.width*header.height*4); |
21 |
+ |
22 |
+ unsigned long long alloclen_64 = (unsigned long long)header.width * header.height * 4; |
23 |
+ if (alloclen_64 > 0xffffffffl) { |
24 |
+ return 0; |
25 |
+ } |
26 |
+ data2 = (unsigned char*)malloc((size_t)alloclen_64); |
27 |
|
28 |
if(header.mode == 4) |
29 |
{ |
30 |
-- |
31 |
2.12.2 |
32 |
|