diff options
| author | dgp <dgp@users.sourceforge.net> | 2015-05-15 15:51:20 (GMT) |
|---|---|---|
| committer | dgp <dgp@users.sourceforge.net> | 2015-05-15 15:51:20 (GMT) |
| commit | 03be820c735d848f0f7b105d2ac071d3c7ed582e (patch) | |
| tree | d69914ff4650e385f782465c9589b81d24ded23f | |
| parent | 876ca828dd8fd1fd9738b776566950373d6dd2c9 (diff) | |
| download | tk-03be820c735d848f0f7b105d2ac071d3c7ed582e.zip tk-03be820c735d848f0f7b105d2ac071d3c7ed582e.tar.gz tk-03be820c735d848f0f7b105d2ac071d3c7ed582e.tar.bz2 | |
[dece631375] Prevent PNG Reader writing to memory beyond end of photo image
block.
| -rw-r--r-- | generic/tkImgPNG.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/generic/tkImgPNG.c b/generic/tkImgPNG.c index 8146e33..9d0fb30 100644 --- a/generic/tkImgPNG.c +++ b/generic/tkImgPNG.c @@ -2092,7 +2092,8 @@ ReadIDAT( * Process IDAT contents until there is no more in this chunk. */ - while (chunkSz && !Tcl_ZlibStreamEof(pngPtr->stream)) { + while (chunkSz && !Tcl_ZlibStreamEof(pngPtr->stream) + && pngPtr->currentLine < pngPtr->block.height) { int len1, len2; /* @@ -2178,10 +2179,13 @@ ReadIDAT( /* * Try to read another line of pixels out of the buffer - * immediately. + * immediately, but don't allow write past end of block. */ - goto getNextLine; + if (pngPtr->currentLine < pngPtr->block.height) { + goto getNextLine; + } + } /* |