Bug 727401 - import libpng overflow patch from http://codereview.chromium.org/9363013 r=joe, a=akeybl
authorDaniel Veditz <dveditz@cruzio.com>
Wed, 15 Feb 2012 20:26:36 -0800
changeset 35264 fd6d19a5ae8418949af55796a4ffab4d052201ca
parent 35258 177e42a7014eac0fabf5d21d44c3a15dbe5a4f02
child 35265 73ffd608342ea3324860a393b140fd7a2b4a2d2d
child 35267 bb46b673486c01b10753ccdf1900088fa1f5b370
push id2022
push userdveditz@mozilla.com
push dateThu, 16 Feb 2012 04:26:45 +0000
reviewersjoe, akeybl
bugs727401, 9363013
milestone1.9.2.27pre
Bug 727401 - import libpng overflow patch from http://codereview.chromium.org/9363013 r=joe, a=akeybl
modules/libimg/png/pngrutil.c
--- a/modules/libimg/png/pngrutil.c
+++ b/modules/libimg/png/pngrutil.c
@@ -335,18 +335,25 @@ png_decompress_chunk(png_structp png_ptr
        * has already been output (warning) or the size really is zero
        * and we have nothing to do - the code will exit through the
        * error case below.
        */
       else if (expanded_size > 0)
       {
          /* Success (maybe) - really uncompress the chunk. */
 	 png_size_t new_size = 0;
-	 png_charp text = png_malloc_warn(png_ptr,
-			prefix_size + expanded_size + 1);
+         png_charp text = NULL;
+         /* Need to check for both truncation (64-bit platforms) and integer
+          * overflow.
+          */
+         if (prefix_size + expanded_size > prefix_size &&
+             prefix_size + expanded_size < 0xffffffffU)
+         {
+            text = png_malloc_warn(png_ptr, prefix_size + expanded_size + 1);
+         }
 
          if (text != NULL)
          {
 	    png_memcpy(text, png_ptr->chunkdata, prefix_size);
 	    new_size = png_inflate(png_ptr,
                 (png_bytep)(png_ptr->chunkdata + prefix_size),
 		chunklength - prefix_size,
                 (png_bytep)(text + prefix_size), expanded_size);