From 7a69beda7b3f771a535f581f30756a0301b1f928 Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Thu, 18 Apr 2013 05:53:49 -0500 Subject: [PATCH] [libpng16] in fixitxt.c define MAX_LENGTH, largest iTXT chunk that it can handle. --- contrib/tools/fixitxt.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/contrib/tools/fixitxt.c b/contrib/tools/fixitxt.c index b979a7a30..d717b3e6a 100644 --- a/contrib/tools/fixitxt.c +++ b/contrib/tools/fixitxt.c @@ -25,13 +25,15 @@ * gcc -O -o fixitxt fixitxt.c -lz */ +#define MAX_LENGTH 500000 + #define GETBREAK c=getchar(); if (c == EOF) break; #include main() { unsigned int i; - unsigned char buf[100000]; + unsigned char buf[MAX_LENGTH]; unsigned long crc; unsigned int c; @@ -46,13 +48,13 @@ if (c != EOF) for (;;) { /* Read the length */ - unsigned int length; + unsigned long length; c=GETBREAK; buf[0] = c; c=GETBREAK; buf[1] = c; c=GETBREAK; buf[2] = c; c=GETBREAK; buf[3] = c; - length=buf[0]<<24 | buf[1]<<16 | buf[2] << 8 | buf[3]; + length=((((unsigned long) buf[0]<<8 + buf[1]<<16) + buf[2] << 8) + buf[3]); /* Read the chunkname */ c=GETBREAK; buf[4] = c; c=GETBREAK; buf[5] = c; @@ -63,6 +65,9 @@ for (;;) /* The iTXt chunk type expressed as integers is (105, 84, 88, 116) */ if (buf[4] == 105 && buf[5] == 84 && buf[6] == 88 && buf[7] == 116) { + if (length >= MAX_LENGTH-12) + break; /* To do: handle this more gracefully */ + /* Initialize the CRC */ crc = crc32(0, Z_NULL, 0); @@ -86,6 +91,9 @@ for (;;) length++; + if (length >= MAX_LENGTH-12) + break; + c=GETBREAK; buf[length+11]=c; @@ -115,12 +123,8 @@ for (;;) { c=GETBREAK; putchar(c); - buf[i]=c; } - crc = crc32(0, Z_NULL, 0); - crc = crc32(crc, buf+4, (uInt)length+4); - if (c == EOF) { break; -- GitLab