current/SOURCES/0001-Fix-an-integer-overflow-issue-in-png.c.patch

From 7139f3cf7c8bc576bea1dbd07c58ce1ad92b774a Mon Sep 17 00:00:00 2001
From: Matthias Kramm <kramm@quiss.org>
Date: Wed, 26 Apr 2017 09:02:20 -0700
Subject: [PATCH] Fix an integer overflow issue in png.c

This aims to fix https://github.com/matthiaskramm/swftools/issues/13
---
 lib/png.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/lib/png.c b/lib/png.c
index 66eebb44..44a4b425 100644
--- a/lib/png.c
+++ b/lib/png.c
@@ -575,8 +575,12 @@ EXPORT int png_load(const char*sname, unsigned*destwidth, unsigned*destheight, u
 
     *destwidth = header.width;
     *destheight = header.height;
-       
-    data2 = (unsigned char*)malloc(header.width*header.height*4);
+
+    unsigned long long alloclen_64 = (unsigned long long)header.width * header.height * 4;
+    if (alloclen_64 > 0xffffffffl) {
+        return 0;
+    }
+    data2 = (unsigned char*)malloc((size_t)alloclen_64);
 
     if(header.mode == 4)
     {
-- 
2.12.2

1	From 7139f3cf7c8bc576bea1dbd07c58ce1ad92b774a Mon Sep 17 00:00:00 2001
2	From: Matthias Kramm <kramm@quiss.org>
3	Date: Wed, 26 Apr 2017 09:02:20 -0700
4	Subject: [PATCH] Fix an integer overflow issue in png.c
5
6	This aims to fix https://github.com/matthiaskramm/swftools/issues/13
7	---
8	lib/png.c \| 8 ++++++--
9	1 file changed, 6 insertions(+), 2 deletions(-)
10
11	diff --git a/lib/png.c b/lib/png.c
12	index 66eebb44..44a4b425 100644
13	--- a/lib/png.c
14	+++ b/lib/png.c
15	@@ -575,8 +575,12 @@ EXPORT int png_load(const charsname, unsigneddestwidth, unsigned*destheight, u
16
17	*destwidth = header.width;
18	*destheight = header.height;
19	-
20	- data2 = (unsigned char)malloc(header.widthheader.height*4);
21	+
22	+ unsigned long long alloclen_64 = (unsigned long long)header.width * header.height * 4;
23	+ if (alloclen_64 > 0xffffffffl) {
24	+ return 0;
25	+ }
26	+ data2 = (unsigned char*)malloc((size_t)alloclen_64);
27
28	if(header.mode == 4)
29	{
30	--
31	2.12.2
32