diff options
| author | dgp <dgp@users.sourceforge.net> | 2015-09-23 21:29:42 (GMT) |
|---|---|---|
| committer | dgp <dgp@users.sourceforge.net> | 2015-09-23 21:29:42 (GMT) |
| commit | e2138596ed17444e34d4aacc028486e200cad81f (patch) | |
| tree | 5d3981b258fb01d746e438d828b4a4fccd447bc4 | |
| parent | 52f8a05fe615644764e95244879e6aa0e782fecd (diff) | |
| download | tk-e2138596ed17444e34d4aacc028486e200cad81f.zip tk-e2138596ed17444e34d4aacc028486e200cad81f.tar.gz tk-e2138596ed17444e34d4aacc028486e200cad81f.tar.bz2 | |
[c648c8dad1] Repair PNG reader buffer overflow protections that prevented
read of valid PNG image.
| -rw-r--r-- | generic/tkImgPNG.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/generic/tkImgPNG.c b/generic/tkImgPNG.c index 9d0fb30..2ee515b 100644 --- a/generic/tkImgPNG.c +++ b/generic/tkImgPNG.c @@ -1847,6 +1847,13 @@ DecodeLine( if (UnfilterLine(interp, pngPtr) == TCL_ERROR) { return TCL_ERROR; } + if (pngPtr->currentLine >= pngPtr->block.height) { + Tcl_SetObjResult(interp, Tcl_ObjPrintf( + "PNG image data overflow")); + Tcl_SetErrorCode(interp, "TK", "IMAGE", "PNG", "DATA_OVERFLOW", NULL); + return TCL_ERROR; + } + if (pngPtr->interlace) { switch (pngPtr->phase) { @@ -1881,8 +1888,6 @@ DecodeLine( * Calculate offset into pixelPtr for the first pixel of the line. */ - assert(pngPtr->currentLine < pngPtr->block.height); - offset = pngPtr->currentLine * pngPtr->block.pitch; /* @@ -2092,8 +2097,7 @@ ReadIDAT( * Process IDAT contents until there is no more in this chunk. */ - while (chunkSz && !Tcl_ZlibStreamEof(pngPtr->stream) - && pngPtr->currentLine < pngPtr->block.height) { + while (chunkSz && !Tcl_ZlibStreamEof(pngPtr->stream)) { int len1, len2; /* |