[master] Revised png_check_IHDR()

2009-09-30 14:29:00 -05:00 · 2009-09-30 14:29:00 -05:00 · f12abe957d
parent caaf688582
commit f12abe957d
1 changed files with 17 additions and 16 deletions
--- a/png.c
+++ b/png.c
@ -948,40 +948,41 @@ png_check_IHDR(png_structp png_ptr,

 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
   if (width > png_ptr->user_width_max || width > PNG_USER_WIDTH_MAX)
-   {
-      png_warning(png_ptr, "Image width exceeds user limit in IHDR");
-      error = 1;
-   }
-
-   if (height > png_ptr->user_height_max || height > PNG_USER_HEIGHT_MAX)
-   {
-      png_warning(png_ptr, "Image height exceeds user limit in IHDR");
-      error = 1;
-   }
-
 #else
-   if (width > PNG_USER_WIDTH_MAX
+   if (width > PNG_USER_WIDTH_MAX)
+#endif
   {
      png_warning(png_ptr, "Image width exceeds user limit in IHDR");
+      if ((width >> 16) == height)
+      {
+         /* This is likely to be caused by passing consecutive addresses
+          * of 16-bit width and height variables to png_get_IHDR(), which
+          * overflowed when we tried to fill them with 31-bit data.
+          */ 
+         png_warning(png_ptr, "High bytes of width == low bytes of height");
+      }
      error = 1;
   }

+#ifdef PNG_SET_USER_LIMITS_SUPPORTED
+   if (height > png_ptr->user_height_max || height > PNG_USER_HEIGHT_MAX)
+#else
   if (height > PNG_USER_HEIGHT_MAX)
+#endif
   {
      png_warning(png_ptr, "Image height exceeds user limit in IHDR");
      error = 1;
   }
-#endif

-   if (height > PNG_UINT_31_MAX)
+   if (width > PNG_UINT_31_MAX)
   {
-      png_warning(png_ptr, "Invalid image height in IHDR");
+      png_warning(png_ptr, "Invalid image width in IHDR");
      error = 1;
   }

   if ( height > PNG_UINT_31_MAX)
   {
-      png_warning(png_ptr, "Invalid image width in IHDR");
+      png_warning(png_ptr, "Invalid image height in IHDR");
      error = 1;
   }