summaryrefslogtreecommitdiffstats
path: root/generic/tkImgPNG.c
diff options
context:
space:
mode:
authorfvogel <fvogelnew1@free.fr>2016-01-11 13:23:20 (GMT)
committerfvogel <fvogelnew1@free.fr>2016-01-11 13:23:20 (GMT)
commitddae56bbd0023f29a24d0529ed4fa0e3820ce7f2 (patch)
tree87dfd77a94fb45488edde792e3b0735459a1fea7 /generic/tkImgPNG.c
parent5c01788dc22a4a2f8e6d9e943dc61a5b73b28291 (diff)
parent4a2efd946fe6674e460172920d097f7329d8e5d9 (diff)
downloadtk-ddae56bbd0023f29a24d0529ed4fa0e3820ce7f2.zip
tk-ddae56bbd0023f29a24d0529ed4fa0e3820ce7f2.tar.gz
tk-ddae56bbd0023f29a24d0529ed4fa0e3820ce7f2.tar.bz2
merged trunk
Diffstat (limited to 'generic/tkImgPNG.c')
-rw-r--r--generic/tkImgPNG.c17
1 files changed, 14 insertions, 3 deletions
diff --git a/generic/tkImgPNG.c b/generic/tkImgPNG.c
index 8a740d2..2ee515b 100644
--- a/generic/tkImgPNG.c
+++ b/generic/tkImgPNG.c
@@ -10,6 +10,7 @@
* this file, and for a DISCLAIMER OF ALL WARRANTIES.
*/
+#include "assert.h"
#include "tkInt.h"
#define PNG_INT32(a,b,c,d) \
@@ -1846,6 +1847,13 @@ DecodeLine(
if (UnfilterLine(interp, pngPtr) == TCL_ERROR) {
return TCL_ERROR;
}
+ if (pngPtr->currentLine >= pngPtr->block.height) {
+ Tcl_SetObjResult(interp, Tcl_ObjPrintf(
+ "PNG image data overflow"));
+ Tcl_SetErrorCode(interp, "TK", "IMAGE", "PNG", "DATA_OVERFLOW", NULL);
+ return TCL_ERROR;
+ }
+
if (pngPtr->interlace) {
switch (pngPtr->phase) {
@@ -2175,10 +2183,13 @@ ReadIDAT(
/*
* Try to read another line of pixels out of the buffer
- * immediately.
+ * immediately, but don't allow write past end of block.
*/
- goto getNextLine;
+ if (pngPtr->currentLine < pngPtr->block.height) {
+ goto getNextLine;
+ }
+
}
/*
@@ -3345,7 +3356,7 @@ EncodePNG(
pngPtr->colorType = PNG_COLOR_RGBA;
pngPtr->bytesPerPixel = 4;
} else {
- pngPtr->colorType = PNG_COLOR_RGBA;
+ pngPtr->colorType = PNG_COLOR_RGB;
pngPtr->bytesPerPixel = 3;
}
} else {
generated by cgit v0.12 at 2024-09-06 11:16:03 (GMT)