1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
libpng16: Fixed an overflow in png_combine_row with very wide interlaced
Fixes CVE-2015-0973 (duplicate of CVE-2014-9495), a heap-based overflow
vulnerability in the png_combine_row() function of the libpng library,
when very large interlaced images were used.
Upstream patch:
http://sourceforge.net/p/libpng/code/ci/dc294204b641373bc6eb603075a8b98f51a75dd8/
Upstream-Status: Backport
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
diff --git a/pngrutil.c b/pngrutil.c
index e9fdd62..4c26be4 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -3003,7 +3003,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
{
unsigned int pixel_depth = png_ptr->transformed_pixel_depth;
png_const_bytep sp = png_ptr->row_buf + 1;
- png_uint_32 row_width = png_ptr->width;
+ png_alloc_size_t row_width = png_ptr->width;
unsigned int pass = png_ptr->pass;
png_bytep end_ptr = 0;
png_byte end_byte = 0;
@@ -3278,7 +3278,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
/* But don't allow this number to exceed the actual row width. */
if (bytes_to_copy > row_width)
- bytes_to_copy = row_width;
+ bytes_to_copy = (unsigned int)/*SAFE*/row_width;
}
else /* normal row; Adam7 only ever gives us one pixel to copy. */
@@ -3458,7 +3458,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
dp += bytes_to_jump;
row_width -= bytes_to_jump;
if (bytes_to_copy > row_width)
- bytes_to_copy = row_width;
+ bytes_to_copy = (unsigned int)/*SAFE*/row_width;
}
}
--
1.9.1
|