[libpng16] Corrected previous attempt at overflow detection in

png_set_unknown_chunks().

[libpng16] Corrected previous attempt at overflow detection in
png_set_unknown_chunks().
9dd2bfaf · John Bowler · Glenn Randers-Pehrson · ba35f1e4 · 9dd2bfaf · 9dd2bfaf
隐藏空白更改
内联并排

Showing with 7 addition and 5 deletion

ANNOUNCE ANNOUNCE +3 -2

CHANGES CHANGES +2 -1

pngset.c pngset.c +2 -2

未找到文件。
--- a/ANNOUNCE
+++ b/ANNOUNCE

-Libpng 1.6.0beta38 - January 10, 2013
+Libpng 1.6.0beta38 - January 17, 2013

 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -587,7 +587,8 @@ Version 1.6.0beta37 [January 10, 2013]
  Fixed conceivable but difficult to repro overflow. Also added two test
    programs to generate and test a PNG which should have the problem.

-Version 1.6.0beta38 [January 10, 2013]
+Version 1.6.0beta38 [January 17, 2013]
+  Corrected previous attempt at overflow detection in png_set_unknown_chunks().

  ===========================================================================
                       NOTICE November 17, 2012:

--- a/CHANGES
+++ b/CHANGES
@@ -4340,7 +4340,8 @@ Version 1.6.0beta37 [January 10, 2013]
  Fixed conceivable but difficult to repro overflow. Also added two test
    programs to generate and test a PNG which should have the problem.

-Version 1.6.0beta38 [January 10, 2013]
+Version 1.6.0beta38 [January 17, 2013]
+  Corrected previous attempt at overflow detection in png_set_unknown_chunks().

  ===========================================================================
                       NOTICE November 17, 2012:

--- a/pngset.c
+++ b/pngset.c
@@ -1130,7 +1130,7 @@ png_set_unknown_chunks(png_const_structrp png_ptr,
    * limit.
    */
   if (num_unknowns > PNG_UINT_32_MAX - info_ptr->unknown_chunks_num ||
-      num_unknowns > PNG_SIZE_MAX/(sizeof *np) - info_ptr->unknown_chunks_num)
+      num_unknowns + info_ptr->unknown_chunks_num > PNG_SIZE_MAX/(sizeof *np))
   {
      /* This is a benign read error (user limits are disabled and we are about
       * to overflow 2^32 chunks) and an application write error.
@@ -1141,7 +1141,7 @@ png_set_unknown_chunks(png_const_structrp png_ptr,
   }

   np = png_voidcast(png_unknown_chunkp, png_malloc(png_ptr,
-       (info_ptr->unknown_chunks_num + (unsigned int)num_unknowns) *
+       (info_ptr->unknown_chunks_num + num_unknowns) *
       (sizeof (png_unknown_chunk))));

   memcpy(np, info_ptr->unknown_chunks,