summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--generic/tkImgPNG.c12
1 files changed, 8 insertions, 4 deletions
diff --git a/generic/tkImgPNG.c b/generic/tkImgPNG.c
index 9d0fb30..2ee515b 100644
--- a/generic/tkImgPNG.c
+++ b/generic/tkImgPNG.c
@@ -1847,6 +1847,13 @@ DecodeLine(
if (UnfilterLine(interp, pngPtr) == TCL_ERROR) {
return TCL_ERROR;
}
+ if (pngPtr->currentLine >= pngPtr->block.height) {
+ Tcl_SetObjResult(interp, Tcl_ObjPrintf(
+ "PNG image data overflow"));
+ Tcl_SetErrorCode(interp, "TK", "IMAGE", "PNG", "DATA_OVERFLOW", NULL);
+ return TCL_ERROR;
+ }
+
if (pngPtr->interlace) {
switch (pngPtr->phase) {
@@ -1881,8 +1888,6 @@ DecodeLine(
* Calculate offset into pixelPtr for the first pixel of the line.
*/
- assert(pngPtr->currentLine < pngPtr->block.height);
-
offset = pngPtr->currentLine * pngPtr->block.pitch;
/*
@@ -2092,8 +2097,7 @@ ReadIDAT(
* Process IDAT contents until there is no more in this chunk.
*/
- while (chunkSz && !Tcl_ZlibStreamEof(pngPtr->stream)
- && pngPtr->currentLine < pngPtr->block.height) {
+ while (chunkSz && !Tcl_ZlibStreamEof(pngPtr->stream)) {
int len1, len2;
/*