[master] Check for integer overflow in png_set_rgb_to_gray().

author: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> 2011-06-05 23:26:14 -0500
committer: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> 2011-06-05 23:26:14 -0500
commit: cc1d4d0dbc727f60b7ae5320776c05e668fd40e3 (patch)
tree: 2b2b04f7c26597ab1865fe7cad96c235bf2d7b71
parent: 070434c04512948f7eb4acf09a36a6f06000f456 (diff)
download: libpng-cc1d4d0dbc727f60b7ae5320776c05e668fd40e3.tar.gz
3 files changed, 13 insertions, 3 deletions
diff --git a/ANNOUNCE b/ANNOUNCE
index fe4e8b60d..f547e8787 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,5 +1,5 @@
 
-Libpng 1.4.8beta02 - June 5, 2011
+Libpng 1.4.8beta02 - June 6, 2011
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -41,6 +41,9 @@ version 1.4.8beta02 [June 5, 2011]
   Ported bugfix in pngrtran.c from 1.5.3: Ensure coefficients are OK for
     png_rgb_to_gray_fixed().
 
+version 1.4.8beta03 [June 6, 2011]
+  Check for integer overflow in png_set_rgb_to_gray().
+
 Send comments/corrections/commendations to glennrp at users.sourceforge.net
 or to png-mng-implement at lists.sf.net (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement).
diff --git a/CHANGES b/CHANGES
index dbbe871ce..27ba624bc 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2809,6 +2809,9 @@ version 1.4.8beta02 [June 5, 2011]
   Ported bugfix in pngrtran.c from 1.5.3: Ensure coefficients are OK for
     png_rgb_to_gray_fixed().
 
+version 1.4.8beta03 [June 6, 2011]
+  Check for integer overflow in png_set_rgb_to_gray().
+
 Send comments/corrections/commendations to glennrp at users.sourceforge.net
 or to png-mng-implement at lists.sf.net (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement).
diff --git a/pngrtran.c b/pngrtran.c
index 0a01db8ba..6bce578df 100644
--- a/pngrtran.c
+++ b/pngrtran.c
@@ -660,10 +660,14 @@ void PNGAPI
 png_set_rgb_to_gray(png_structp png_ptr, int error_action, double red,
    double green)
 {
-   int red_fixed = (int)((float)red*100000.0 + 0.5);
-   int green_fixed = (int)((float)green*100000.0 + 0.5);
+   int red_fixed, green_fixed;
    if (png_ptr == NULL)
       return;
+   if (red > 21474.83647 || red < -21474.83648 ||
+       green > 21474.83647 || green < -21474.83648)
+      png_error(png_ptr, "ignoring out of range rgb_to_gray coefficients");
+   red_fixed = (int)((float)red*100000.0 + 0.5);
+   green_fixed = (int)((float)green*100000.0 + 0.5);
    png_set_rgb_to_gray_fixed(png_ptr, error_action, red_fixed, green_fixed);
 }
 #endif
author	Glenn Randers-Pehrson <glennrp at users.sourceforge.net>	2011-06-05 23:26:14 -0500
committer	Glenn Randers-Pehrson <glennrp at users.sourceforge.net>	2011-06-05 23:26:14 -0500
commit	cc1d4d0dbc727f60b7ae5320776c05e668fd40e3 (patch)
tree	2b2b04f7c26597ab1865fe7cad96c235bf2d7b71
parent	070434c04512948f7eb4acf09a36a6f06000f456 (diff)
download	libpng-cc1d4d0dbc727f60b7ae5320776c05e668fd40e3.tar.gz