From d572394c2a018ef22e9685ac189f5f05c08ea6f5 Mon Sep 17 00:00:00 2001
From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
Date: Tue, 7 Jun 2011 15:56:02 -0500
Subject: [PATCH] [legacy] Check for integer overflow in png_set_rgb_to_gray().

---
 ANNOUNCE   |  3 +++
 CHANGES    |  3 +++
 pngrtran.c | 15 +++++++++++++--
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/ANNOUNCE b/ANNOUNCE
index fb36db78..df125bf6 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -113,6 +113,9 @@ version 1.2.45beta01 [June 7, 2011]
   Ported bugfix in pngrtran.c from 1.5.3: when expanding a paletted image,
     always expand to RGBA if transparency is present.
 
+version 1.2.45beta02 [June 7, 2011]
+  Check for integer overflow in png_set_rgb_to_gray().
+
 (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement
 to subscribe) or to glennrp at users.sourceforge.net
diff --git a/CHANGES b/CHANGES
index 00ec950b..738365f0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2714,6 +2714,9 @@ version 1.2.45beta01 [June 7, 2011]
   Ported bugfix in pngrtran.c from 1.5.3: when expanding a paletted image,
     always expand to RGBA if transparency is present.
 
+version 1.2.45beta02 [June 7, 2011]
+  Check for integer overflow in png_set_rgb_to_gray().
+
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement
diff --git a/pngrtran.c b/pngrtran.c
index ca05fe95..3e2413d3 100644
--- a/pngrtran.c
+++ b/pngrtran.c
@@ -676,10 +676,21 @@ void PNGAPI
 png_set_rgb_to_gray(png_structp png_ptr, int error_action, double red,
    double green)
 {
-   int red_fixed = (int)((float)red*100000.0 + 0.5);
-   int green_fixed = (int)((float)green*100000.0 + 0.5);
+   int red_fixed, green_fixed;
    if (png_ptr == NULL)
       return;
+   if (red > 21474.83647 || red < -21474.83648 ||
+       green > 21474.83647 || green < -21474.83648)
+   {
+      png_warning(png_ptr, "ignoring out of range rgb_to_gray coefficients");
+      red_fixed = -1;
+      green_fixed = -1;
+   }
+   else
+   {
+      red_fixed = (int)((float)red*100000.0 + 0.5);
+      green_fixed = (int)((float)green*100000.0 + 0.5);
+   }
    png_set_rgb_to_gray_fixed(png_ptr, error_action, red_fixed, green_fixed);
 }
 #endif