OLD | NEW |
1 | 1 |
2 /* pngrutil.c - utilities to read a PNG file | 2 /* pngrutil.c - utilities to read a PNG file |
3 * | 3 * |
4 * Last changed in libpng 1.2.45 [July 7, 2011] | 4 * Last changed in libpng 1.2.45 [July 7, 2011] |
5 * Copyright (c) 1998-2011 Glenn Randers-Pehrson | 5 * Copyright (c) 1998-2011 Glenn Randers-Pehrson |
6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) | 6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) |
7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) | 7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) |
8 * | 8 * |
9 * This code is released under the libpng license. | 9 * This code is released under the libpng license. |
10 * For conditions of distribution and use, see the disclaimer | 10 * For conditions of distribution and use, see the disclaimer |
(...skipping 345 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
356 * error case below. | 356 * error case below. |
357 */ | 357 */ |
358 #if defined(PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED) || \ | 358 #if defined(PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED) || \ |
359 defined(PNG_USER_CHUNK_MALLOC_MAX) | 359 defined(PNG_USER_CHUNK_MALLOC_MAX) |
360 else | 360 else |
361 #endif | 361 #endif |
362 if (expanded_size > 0) | 362 if (expanded_size > 0) |
363 { | 363 { |
364 /* Success (maybe) - really uncompress the chunk. */ | 364 /* Success (maybe) - really uncompress the chunk. */ |
365 png_size_t new_size = 0; | 365 png_size_t new_size = 0; |
366 png_charp text = png_malloc_warn(png_ptr, | 366 png_charp text = NULL; |
367 prefix_size + expanded_size + 1); | 367 /* Need to check for both truncation (64-bit platforms) and integer |
| 368 * overflow. |
| 369 */ |
| 370 if (prefix_size + expanded_size > prefix_size && |
| 371 prefix_size + expanded_size < 0xffffffffU) |
| 372 { |
| 373 text = png_malloc_warn(png_ptr, prefix_size + expanded_size + 1); |
| 374 } |
368 | 375 |
369 if (text != NULL) | 376 if (text != NULL) |
370 { | 377 { |
371 png_memcpy(text, png_ptr->chunkdata, prefix_size); | 378 png_memcpy(text, png_ptr->chunkdata, prefix_size); |
372 new_size = png_inflate(png_ptr, | 379 new_size = png_inflate(png_ptr, |
373 (png_bytep)(png_ptr->chunkdata + prefix_size), | 380 (png_bytep)(png_ptr->chunkdata + prefix_size), |
374 chunklength - prefix_size, | 381 chunklength - prefix_size, |
375 (png_bytep)(text + prefix_size), expanded_size); | 382 (png_bytep)(text + prefix_size), expanded_size); |
376 text[prefix_size + expanded_size] = 0; /* just in case */ | 383 text[prefix_size + expanded_size] = 0; /* just in case */ |
377 | 384 |
(...skipping 3003 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3381 png_debug1(3, "height = %lu,", png_ptr->height); | 3388 png_debug1(3, "height = %lu,", png_ptr->height); |
3382 png_debug1(3, "iwidth = %lu,", png_ptr->iwidth); | 3389 png_debug1(3, "iwidth = %lu,", png_ptr->iwidth); |
3383 png_debug1(3, "num_rows = %lu,", png_ptr->num_rows); | 3390 png_debug1(3, "num_rows = %lu,", png_ptr->num_rows); |
3384 png_debug1(3, "rowbytes = %lu,", png_ptr->rowbytes); | 3391 png_debug1(3, "rowbytes = %lu,", png_ptr->rowbytes); |
3385 png_debug1(3, "irowbytes = %lu", | 3392 png_debug1(3, "irowbytes = %lu", |
3386 PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->iwidth) + 1); | 3393 PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->iwidth) + 1); |
3387 | 3394 |
3388 png_ptr->flags |= PNG_FLAG_ROW_INIT; | 3395 png_ptr->flags |= PNG_FLAG_ROW_INIT; |
3389 } | 3396 } |
3390 #endif /* PNG_READ_SUPPORTED */ | 3397 #endif /* PNG_READ_SUPPORTED */ |
OLD | NEW |