[libpng12] Issue a png_error() instead of a png_warning() when width is

potentially too large for the architecture, in case the calling application has overridden the default 1,000,000-column limit (fixes CVE-2014-9495 and CVE-2015-0973).
2015-01-31 13:08:48 -06:00 · 2015-01-31 13:08:48 -06:00 · a4d40f32dd
parent f34e3f4667
commit a4d40f32dd
3 changed files with 11 additions and 0 deletions
--- a/4
+++ b/4
@ -44,6 +44,10 @@ Other information:
 Changes since the last public release (1.2.52):

 version 1.2.53beta01 [RDATE%]
+  Issue a png_error() instead of a png_warning() when width is
+    potentially too large for the architecture, in case the calling
+    application has overridden the default 1,000,000-column limit
+    (fixes CVE-2014-9495 and CVE-2015-0973).

 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
--- a/4
+++ b/4
@ -2829,6 +2829,10 @@ version 1.0.62 and 1.2.52 [November 20, 2014]
  No changes.

 version 1.2.53beta01 [RDATE%]
+  Issue a png_error() instead of a png_warning() when width is
+    potentially too large for the architecture, in case the calling
+    application has overridden the default 1,000,000-column limit
+    (fixes CVE-2014-9495 and CVE-2015-0973).

 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
--- a/pngset.c
+++ b/pngset.c
@ -263,7 +263,10 @@ png_set_IHDR(png_structp png_ptr, png_infop info_ptr,
                 - 1        /* filter byte */
                 - 7*8      /* rounding of width to multiple of 8 pixels */
                 - 8)       /* extra max_pixel_depth pad */
+   {
      info_ptr->rowbytes = (png_size_t)0;
+      png_error(png_ptr, "Image width is too large for this architecture");
+   }
   else
      info_ptr->rowbytes = PNG_ROWBYTES(info_ptr->pixel_depth, width);
 }