[master] Revised png_check_IHDR()

This commit is contained in:
Glenn Randers-Pehrson 2009-09-30 14:29:00 -05:00
parent caaf688582
commit f12abe957d

39
png.c
View File

@ -948,30 +948,37 @@ png_check_IHDR(png_structp png_ptr,
#ifdef PNG_SET_USER_LIMITS_SUPPORTED #ifdef PNG_SET_USER_LIMITS_SUPPORTED
if (width > png_ptr->user_width_max || width > PNG_USER_WIDTH_MAX) if (width > png_ptr->user_width_max || width > PNG_USER_WIDTH_MAX)
{
png_warning(png_ptr, "Image width exceeds user limit in IHDR");
error = 1;
}
if (height > png_ptr->user_height_max || height > PNG_USER_HEIGHT_MAX)
{
png_warning(png_ptr, "Image height exceeds user limit in IHDR");
error = 1;
}
#else #else
if (width > PNG_USER_WIDTH_MAX if (width > PNG_USER_WIDTH_MAX)
#endif
{ {
png_warning(png_ptr, "Image width exceeds user limit in IHDR"); png_warning(png_ptr, "Image width exceeds user limit in IHDR");
if ((width >> 16) == height)
{
/* This is likely to be caused by passing consecutive addresses
* of 16-bit width and height variables to png_get_IHDR(), which
* overflowed when we tried to fill them with 31-bit data.
*/
png_warning(png_ptr, "High bytes of width == low bytes of height");
}
error = 1; error = 1;
} }
#ifdef PNG_SET_USER_LIMITS_SUPPORTED
if (height > png_ptr->user_height_max || height > PNG_USER_HEIGHT_MAX)
#else
if (height > PNG_USER_HEIGHT_MAX) if (height > PNG_USER_HEIGHT_MAX)
#endif
{ {
png_warning(png_ptr, "Image height exceeds user limit in IHDR"); png_warning(png_ptr, "Image height exceeds user limit in IHDR");
error = 1; error = 1;
} }
#endif
if (width > PNG_UINT_31_MAX)
{
png_warning(png_ptr, "Invalid image width in IHDR");
error = 1;
}
if ( height > PNG_UINT_31_MAX) if ( height > PNG_UINT_31_MAX)
{ {
@ -979,12 +986,6 @@ png_check_IHDR(png_structp png_ptr,
error = 1; error = 1;
} }
if ( height > PNG_UINT_31_MAX)
{
png_warning(png_ptr, "Invalid image width in IHDR");
error = 1;
}
if ( width > (PNG_UINT_32_MAX if ( width > (PNG_UINT_32_MAX
>> 3) /* 8-byte RGBA pixels */ >> 3) /* 8-byte RGBA pixels */
- 64 /* bigrowbuf hack */ - 64 /* bigrowbuf hack */