summaryrefslogtreecommitdiffstats
path: root/generic
diff options
context:
space:
mode:
authordgp <dgp@users.sourceforge.net>2015-09-23 21:29:42 (GMT)
committerdgp <dgp@users.sourceforge.net>2015-09-23 21:29:42 (GMT)
commite2138596ed17444e34d4aacc028486e200cad81f (patch)
tree5d3981b258fb01d746e438d828b4a4fccd447bc4 /generic
parent52f8a05fe615644764e95244879e6aa0e782fecd (diff)
downloadtk-e2138596ed17444e34d4aacc028486e200cad81f.zip
tk-e2138596ed17444e34d4aacc028486e200cad81f.tar.gz
tk-e2138596ed17444e34d4aacc028486e200cad81f.tar.bz2
[c648c8dad1] Repair PNG reader buffer overflow protections that prevented
read of valid PNG image.
Diffstat (limited to 'generic')
-rw-r--r--generic/tkImgPNG.c12
1 files changed, 8 insertions, 4 deletions
diff --git a/generic/tkImgPNG.c b/generic/tkImgPNG.c
index 9d0fb30..2ee515b 100644
--- a/generic/tkImgPNG.c
+++ b/generic/tkImgPNG.c
@@ -1847,6 +1847,13 @@ DecodeLine(
if (UnfilterLine(interp, pngPtr) == TCL_ERROR) {
return TCL_ERROR;
}
+ if (pngPtr->currentLine >= pngPtr->block.height) {
+ Tcl_SetObjResult(interp, Tcl_ObjPrintf(
+ "PNG image data overflow"));
+ Tcl_SetErrorCode(interp, "TK", "IMAGE", "PNG", "DATA_OVERFLOW", NULL);
+ return TCL_ERROR;
+ }
+
if (pngPtr->interlace) {
switch (pngPtr->phase) {
@@ -1881,8 +1888,6 @@ DecodeLine(
* Calculate offset into pixelPtr for the first pixel of the line.
*/
- assert(pngPtr->currentLine < pngPtr->block.height);
-
offset = pngPtr->currentLine * pngPtr->block.pitch;
/*
@@ -2092,8 +2097,7 @@ ReadIDAT(
* Process IDAT contents until there is no more in this chunk.
*/
- while (chunkSz && !Tcl_ZlibStreamEof(pngPtr->stream)
- && pngPtr->currentLine < pngPtr->block.height) {
+ while (chunkSz && !Tcl_ZlibStreamEof(pngPtr->stream)) {
int len1, len2;
/*