[libng16] Check length of all chunks except IDAT against user limit.

author: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> 2017-08-02 19:21:19 -0500
committer: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> 2017-08-02 19:21:19 -0500
commit: 347538efbdc21b8df684ebd92d37400b3ce85d55 (patch)
tree: 9188579fe41cccb7e3ce3d3c26689c8562d69d28 /pngpread.c
parent: 2b37d46564b48efa0298f57134c6a555c223ee44 (diff)
download: libpng-347538efbdc21b8df684ebd92d37400b3ce85d55.tar.gz
1 files changed, 15 insertions, 0 deletions
diff --git a/pngpread.c b/pngpread.c
index 650ba1e23..45b23a79c 100644
--- a/pngpread.c
+++ b/pngpread.c
@@ -223,6 +223,21 @@ png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr)
          png_benign_error(png_ptr, "Too many IDATs found");
    }
 
+   else
+   {
+      png_alloc_size_t limit = PNG_SIZE_MAX;
+# ifdef PNG_SET_USER_LIMITS_SUPPORTED
+      if (png_ptr->user_chunk_malloc_max > 0 &&
+          png_ptr->user_chunk_malloc_max < limit)
+         limit = png_ptr->user_chunk_malloc_max;
+# elif PNG_USER_CHUNK_MALLOC_MAX > 0
+      if (PNG_USER_CHUNK_MALLOC_MAX < limit)
+         limit = PNG_USER_CHUNK_MALLOC_MAX;
+# endif
+      if (png_ptr->push_length > limit)
+         png_chunk_error(png_ptr, "chunk data is too large");
+   }
+
    if (chunk_name == png_IHDR)
    {
       if (png_ptr->push_length != 13)
author	Glenn Randers-Pehrson <glennrp at users.sourceforge.net>	2017-08-02 19:21:19 -0500
committer	Glenn Randers-Pehrson <glennrp at users.sourceforge.net>	2017-08-02 19:21:19 -0500
commit	347538efbdc21b8df684ebd92d37400b3ce85d55 (patch)
tree	9188579fe41cccb7e3ce3d3c26689c8562d69d28 /pngpread.c
parent	2b37d46564b48efa0298f57134c6a555c223ee44 (diff)
download	libpng-347538efbdc21b8df684ebd92d37400b3ce85d55.tar.gz