pngdec,ReadFunc: throw an error on invalid read

convert the assert() to an error check to avoid crashing when reading
malformed files.

BUG=webp:302

Change-Id: I25eed9cab5c0a439bd3411beacc83f3a27af2bbf
This commit is contained in:
James Zern 2016-06-22 23:09:30 -07:00
parent 38063af131
commit bb50bf42b0

View File

@ -18,7 +18,6 @@
#include <stdio.h> #include <stdio.h>
#ifdef WEBP_HAVE_PNG #ifdef WEBP_HAVE_PNG
#include <assert.h>
#include <png.h> #include <png.h>
#include <setjmp.h> // note: this must be included *after* png.h #include <setjmp.h> // note: this must be included *after* png.h
#include <stdlib.h> #include <stdlib.h>
@ -198,7 +197,9 @@ typedef struct {
static void ReadFunc(png_structp png_ptr, png_bytep data, png_size_t length) { static void ReadFunc(png_structp png_ptr, png_bytep data, png_size_t length) {
PNGReadContext* const ctx = (PNGReadContext*)png_get_io_ptr(png_ptr); PNGReadContext* const ctx = (PNGReadContext*)png_get_io_ptr(png_ptr);
assert(ctx->offset + length <= ctx->data_size); if (ctx->data_size - ctx->offset < length) {
png_error(png_ptr, "ReadFunc: invalid read length (overflow)!");
}
memcpy(data, ctx->data + ctx->offset, length); memcpy(data, ctx->data + ctx->offset, length);
ctx->offset += length; ctx->offset += length;
} }