Bug 727401 - import libpng overflow patch from http://codereview.chromium.org/9363013 r=joe, a=akeybl CLOSED TREE GECKO1001_2012020805_RELBRANCH
authorBenjamin Smedberg <benjamin@smedbergs.us>
Wed, 15 Feb 2012 19:01:21 -0800
branchGECKO1001_2012020805_RELBRANCH
changeset 81661 cc9013d9ffc1
parent 81653 4612ee1dff71
child 81663 14af4fac0bc5
push id12
push usernthomas@mozilla.com
push date2012-02-16 03:39 +0000
reviewersjoe, akeybl
bugs727401, 9363013
milestone10.0.1
Bug 727401 - import libpng overflow patch from http://codereview.chromium.org/9363013 r=joe, a=akeybl CLOSED TREE
media/libpng/pngrutil.c
--- a/media/libpng/pngrutil.c
+++ b/media/libpng/pngrutil.c
@@ -396,18 +396,25 @@ png_decompress_chunk(png_structp png_ptr
 #if defined(PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED) || \
     defined(PNG_USER_CHUNK_MALLOC_MAX)
       else
 #endif
       if (expanded_size > 0)
       {
          /* Success (maybe) - really uncompress the chunk. */
          png_size_t new_size = 0;
-         png_charp text = png_malloc_warn(png_ptr,
-                        prefix_size + expanded_size + 1);
+         png_charp text = NULL;
+         /* Need to check for both truncation (64-bit platforms) and integer
+          * overflow.
+          */
+         if (prefix_size + expanded_size > prefix_size &&
+             prefix_size + expanded_size < 0xffffffffU)
+         {
+            text = png_malloc_warn(png_ptr, prefix_size + expanded_size + 1);
+         }
 
          if (text != NULL)
          {
             png_memcpy(text, png_ptr->chunkdata, prefix_size);
             new_size = png_inflate(png_ptr,
                 (png_bytep)(png_ptr->chunkdata + prefix_size),
                 chunklength - prefix_size,
                 (png_bytep)(text + prefix_size), expanded_size);