Fixes: the png_handle_cHRM crash bug in bundled libpng 1.5.4

The PNG Development Group explains that libpng 1.5.4 (only) introduced
a divide-by-zero bug in png_handle_cHRM(), which could lead to crashes
(denial of service) for certain malformed PNGs.
Ref. http://www.libpng.org/pub/png/libpng.html

This commit contains the patch recommended by the PNG Development
Group, ref. http://www.kb.cert.org/vuls/id/477046

Task-number: QTBUG-22168

(cherry picked from commit 55c2ea18c522bd8700f43884124e02b460cdb5e2)

1 files changed, 8 insertions, 6 deletions

diff --git a/src/3rdparty/libpng/pngrutil.c b/src/3rdparty/libpng/pngrutil.c
index 07e46e2..daf3c5e 100644
--- a/src/3rdparty/libpng/pngrutil.c
+++ b/src/3rdparty/libpng/pngrutil.c
@@ -1037,12 +1037,14 @@ png_handle_cHRM(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
           */
          png_uint_32 w = y_red + y_green + y_blue;
 
-         png_ptr->rgb_to_gray_red_coeff   = (png_uint_16)(((png_uint_32)y_red *
-            32768)/w);
-         png_ptr->rgb_to_gray_green_coeff = (png_uint_16)(((png_uint_32)y_green
-            * 32768)/w);
-         png_ptr->rgb_to_gray_blue_coeff  = (png_uint_16)(((png_uint_32)y_blue *
-            32768)/w);
+         if (w != 0) {
+            png_ptr->rgb_to_gray_red_coeff   = (png_uint_16)(((png_uint_32)y_red *
+               32768)/w);
+            png_ptr->rgb_to_gray_green_coeff = (png_uint_16)(((png_uint_32)y_green
+               * 32768)/w);
+            png_ptr->rgb_to_gray_blue_coeff  = (png_uint_16)(((png_uint_32)y_blue *
+               32768)/w);
+         }
       }
    }
 #endif