Index: third_party/libpng/pngrutil.c |
=================================================================== |
--- third_party/libpng/pngrutil.c (revision 120786) |
+++ third_party/libpng/pngrutil.c (working copy) |
@@ -363,8 +363,15 @@ |
{ |
/* Success (maybe) - really uncompress the chunk. */ |
png_size_t new_size = 0; |
- png_charp text = png_malloc_warn(png_ptr, |
- prefix_size + expanded_size + 1); |
+ png_charp text = NULL; |
+ /* Need to check for both truncation (64-bit platforms) and integer |
+ * overflow. |
+ */ |
+ if (prefix_size + expanded_size > prefix_size && |
+ prefix_size + expanded_size < 0xffffffffU) |
+ { |
+ text = png_malloc_warn(png_ptr, prefix_size + expanded_size + 1); |
+ } |
if (text != NULL) |
{ |