[dece631375] Prevent PNG Reader writing to memory beyond end of photo image

block.
author: dgp <dgp@users.sourceforge.net> 2015-05-15 15:51:20 (GMT)
committer: dgp <dgp@users.sourceforge.net> 2015-05-15 15:51:20 (GMT)
commit: a7faf9f8a33c55adb9081e5a27a31d2eae249638 (patch)
tree: d69914ff4650e385f782465c9589b81d24ded23f
parent: 5f46d2f08eda1b81b09264e12b2fdf4a16342e2f (diff)
download: tk-a7faf9f8a33c55adb9081e5a27a31d2eae249638.zip
tk-a7faf9f8a33c55adb9081e5a27a31d2eae249638.tar.gz
tk-a7faf9f8a33c55adb9081e5a27a31d2eae249638.tar.bz2
1 files changed, 7 insertions, 3 deletions
diff --git a/generic/tkImgPNG.c b/generic/tkImgPNG.c
index 8146e33..9d0fb30 100644
--- a/generic/tkImgPNG.c
+++ b/generic/tkImgPNG.c
@@ -2092,7 +2092,8 @@ ReadIDAT(
      * Process IDAT contents until there is no more in this chunk.
      */
 
-    while (chunkSz && !Tcl_ZlibStreamEof(pngPtr->stream)) {
+    while (chunkSz && !Tcl_ZlibStreamEof(pngPtr->stream)
+	    && pngPtr->currentLine < pngPtr->block.height) {
 	int len1, len2;
 
 	/*
@@ -2178,10 +2179,13 @@ ReadIDAT(
 
 	    /*
 	     * Try to read another line of pixels out of the buffer
-	     * immediately.
+	     * immediately, but don't allow write past end of block.
 	     */
 
-	    goto getNextLine;
+	    if (pngPtr->currentLine < pngPtr->block.height) {
+		goto getNextLine;
+	    }
+
 	}
 
 	/*
author	dgp <dgp@users.sourceforge.net>	2015-05-15 15:51:20 (GMT)
committer	dgp <dgp@users.sourceforge.net>	2015-05-15 15:51:20 (GMT)
commit	a7faf9f8a33c55adb9081e5a27a31d2eae249638 (patch)
tree	d69914ff4650e385f782465c9589b81d24ded23f
parent	5f46d2f08eda1b81b09264e12b2fdf4a16342e2f (diff)
download	tk-a7faf9f8a33c55adb9081e5a27a31d2eae249638.zip tk-a7faf9f8a33c55adb9081e5a27a31d2eae249638.tar.gz tk-a7faf9f8a33c55adb9081e5a27a31d2eae249638.tar.bz2