summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authoraavit <qt-info@nokia.com>2011-10-19 12:02:24 (GMT)
committeraavit <qt-info@nokia.com>2011-10-19 12:05:48 (GMT)
commit55c2ea18c522bd8700f43884124e02b460cdb5e2 (patch)
treecc0d98b7a624531fbd32ea2b3250143b31ae8c38
parentfa717293080c9d00b02028bebece1935aef6e093 (diff)
downloadQt-55c2ea18c522bd8700f43884124e02b460cdb5e2.zip
Qt-55c2ea18c522bd8700f43884124e02b460cdb5e2.tar.gz
Qt-55c2ea18c522bd8700f43884124e02b460cdb5e2.tar.bz2
Fixes: the png_handle_cHRM crash bug in bundled libpng 1.5.4
The PNG Development Group explains that libpng 1.5.4 (only) introduced a divide-by-zero bug in png_handle_cHRM(), which could lead to crashes (denial of service) for certain malformed PNGs. Ref. http://www.libpng.org/pub/png/libpng.html Task-number: QTBUG-22168
-rw-r--r--src/3rdparty/libpng/pngrutil.c14
1 files changed, 8 insertions, 6 deletions
diff --git a/src/3rdparty/libpng/pngrutil.c b/src/3rdparty/libpng/pngrutil.c
index 07e46e2..daf3c5e 100644
--- a/src/3rdparty/libpng/pngrutil.c
+++ b/src/3rdparty/libpng/pngrutil.c
@@ -1037,12 +1037,14 @@ png_handle_cHRM(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
*/
png_uint_32 w = y_red + y_green + y_blue;
- png_ptr->rgb_to_gray_red_coeff = (png_uint_16)(((png_uint_32)y_red *
- 32768)/w);
- png_ptr->rgb_to_gray_green_coeff = (png_uint_16)(((png_uint_32)y_green
- * 32768)/w);
- png_ptr->rgb_to_gray_blue_coeff = (png_uint_16)(((png_uint_32)y_blue *
- 32768)/w);
+ if (w != 0) {
+ png_ptr->rgb_to_gray_red_coeff = (png_uint_16)(((png_uint_32)y_red *
+ 32768)/w);
+ png_ptr->rgb_to_gray_green_coeff = (png_uint_16)(((png_uint_32)y_green
+ * 32768)/w);
+ png_ptr->rgb_to_gray_blue_coeff = (png_uint_16)(((png_uint_32)y_blue *
+ 32768)/w);
+ }
}
}
#endif