dany/libwebp
1
0
Fork 0
mirror of https://github.com/webmproject/libwebp.git synced 2025-07-13 06:24:27 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

imageio_util: add ImgIoUtilCheckSizeArgumentsOverflow

Browse Source 
and use it to validate decoder allocations. fixes a crash in jpegdec at
least.

BUG=webp:312

Change-Id: Ia940590098f29510add6aad10a8dfe9e9ea46bf4
This commit is contained in:
James Zern
2016-10-07 13:18:29 -07:00
parent 68ae5b671f
commit bc86b7a8a1
6 changed files with 55 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
imageio/pngdec.c
View File

@ -24,6 +24,7 @@
#include <string.h>
#include "webp/encode.h"
#include "./imageio_util.h"
#include "./metadata.h"
static void PNGAPI error_function(png_structp png, png_const_charp error) {
@ -216,7 +217,7 @@ int ReadPNG(const uint8_t* const data, size_t data_size,
int p;
volatile int ok = 0;
png_uint_32 width, height, y;
png_uint_32 stride;
int64_t stride;
uint8_t* volatile rgb = NULL;
context.data = data;
@ -269,8 +270,14 @@ int ReadPNG(const uint8_t* const data, size_t data_size,
num_passes = png_set_interlace_handling(png);
png_read_update_info(png, info);
stride = (has_alpha ? 4 : 3) * width * sizeof(*rgb);
rgb = (uint8_t*)malloc(stride * height);
stride = (int64_t)(has_alpha ? 4 : 3) * width * sizeof(*rgb);
if (stride != (int)stride ||
!ImgIoUtilCheckSizeArgumentsOverflow(stride, height)) {
goto Error;
}
rgb = (uint8_t*)malloc((size_t)stride * height);
if (rgb == NULL) goto Error;
for (p = 0; p < num_passes; ++p) {
for (y = 0; y < height; ++y) {