[c648c8dad1] Repair PNG reader buffer overflow protections that prevented

read of valid PNG image.

FossilOrigin-Name: ce2fdd0cf18cec7400ede2108aa94710e37635bb

1 files changed, 8 insertions, 4 deletions

diff --git a/generic/tkImgPNG.c b/generic/tkImgPNG.c
index 9d0fb30..2ee515b 100644
--- a/generic/tkImgPNG.c
+++ b/generic/tkImgPNG.c
@@ -1847,6 +1847,13 @@ DecodeLine(
     if (UnfilterLine(interp, pngPtr) == TCL_ERROR) {
 	return TCL_ERROR;
     }
+    if (pngPtr->currentLine >= pngPtr->block.height) {
+	Tcl_SetObjResult(interp, Tcl_ObjPrintf(
+		"PNG image data overflow"));
+	Tcl_SetErrorCode(interp, "TK", "IMAGE", "PNG", "DATA_OVERFLOW", NULL);
+	return TCL_ERROR;
+    }
+
 
     if (pngPtr->interlace) {
 	switch (pngPtr->phase) {
@@ -1881,8 +1888,6 @@ DecodeLine(
      * Calculate offset into pixelPtr for the first pixel of the line.
      */
 
-    assert(pngPtr->currentLine < pngPtr->block.height);
-
     offset = pngPtr->currentLine * pngPtr->block.pitch;
 
     /*
@@ -2092,8 +2097,7 @@ ReadIDAT(
      * Process IDAT contents until there is no more in this chunk.
      */
 
-    while (chunkSz && !Tcl_ZlibStreamEof(pngPtr->stream)
-	    && pngPtr->currentLine < pngPtr->block.height) {
+    while (chunkSz && !Tcl_ZlibStreamEof(pngPtr->stream)) {
 	int len1, len2;
 
 	/*