[libpng16] Check for integer overflow in contrib/tools/genpng.
diff --git a/ANNOUNCE b/ANNOUNCE
index a2797df..b90fc02 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -39,7 +39,7 @@
Removed reference to the obsolete PNG_SAFE_LIMITS macro in the documentation.
Version 1.6.30beta03 [April 23, 2017]
- Check for integer overflow in contrib/visupng.
+ Check for integer overflow in contrib/visupng and contrib/tools/genpng.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
diff --git a/CHANGES b/CHANGES
index d28b7b2..883062c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -5834,7 +5834,7 @@
Removed reference to the obsolete PNG_SAFE_LIMITS macro in the documentation.
Version 1.6.30beta03 [April 23, 2017]
- Check for integer overflow in contrib/visupng.
+ Check for integer overflow in contrib/visupng and contrib/tools/genpng.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
diff --git a/contrib/tools/genpng.c b/contrib/tools/genpng.c
index ce43260..0b3f981 100644
--- a/contrib/tools/genpng.c
+++ b/contrib/tools/genpng.c
@@ -1,7 +1,8 @@
/*- genpng
*
* COPYRIGHT: Written by John Cunningham Bowler, 2015.
- * To the extent possible under law, the author has waived all copyright and
+ * Revised by Glenn Randers-Pehrson, 2017, to add buffer-size check.
+ * To the extent possible under law, the authors have waived all copyright and
* related or neighboring rights to this work. This work is published from:
* United States.
*
@@ -783,6 +784,19 @@
return 1;
}
+#if 1
+ /* TO do: determine whether this guard against overflow is necessary.
+ * This comment in png.h indicates that it should be safe: "libpng will
+ * refuse to process an image where such an overflow would occur", but
+ * I don't see where the image gets rejected when the buffer is too
+ * large before the malloc is attempted.
+ */
+ if (image.height > ((size_t)(-1))/(8*image.width)) {
+ fprintf(stderr, "genpng: image buffer would be too big");
+ return 1;
+ }
+#endif
+
/* Create the buffer: */
buffer = malloc(PNG_IMAGE_SIZE(image));