Fix a buffer overflow in `png_image_finish_read`
Reject bit-depth mismatches between IHDR and the requested output
format. When a 16-bit PNG is processed with an 8-bit output format
request, `png_combine_row` writes using the IHDR depth before
transformation, causing writes beyond the buffer allocated via
`PNG_IMAGE_SIZE(image)`.
The validation establishes a safe API contract where
`PNG_IMAGE_SIZE(image)` is guaranteed to be sufficient across the
transformation pipeline.
Example overflow (32×32 pixels, 16-bit RGB to 8-bit RGBA):
- Input format: 16 bits/channel × 3 channels = 6144 bytes
- Output buffer: 8 bits/channel × 4 channels = 4096 bytes
- Overflow: 6144 bytes - 4096 bytes = 2048 bytes
Larger images produce proportionally larger overflows. For example,
for 256×256 pixels, the overflow is 131072 bytes.
Reported-by: yosiimich <yosiimich@users.noreply.github.com>
1 file changed