diff options
author | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2017-08-02 19:21:19 -0500 |
---|---|---|
committer | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2017-08-02 19:21:19 -0500 |
commit | 347538efbdc21b8df684ebd92d37400b3ce85d55 (patch) | |
tree | 9188579fe41cccb7e3ce3d3c26689c8562d69d28 /pngpread.c | |
parent | 2b37d46564b48efa0298f57134c6a555c223ee44 (diff) | |
download | libpng-347538efbdc21b8df684ebd92d37400b3ce85d55.tar.gz |
[libng16] Check length of all chunks except IDAT against user limit.
Diffstat (limited to 'pngpread.c')
-rw-r--r-- | pngpread.c | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/pngpread.c b/pngpread.c index 650ba1e23..45b23a79c 100644 --- a/pngpread.c +++ b/pngpread.c @@ -223,6 +223,21 @@ png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr) png_benign_error(png_ptr, "Too many IDATs found"); } + else + { + png_alloc_size_t limit = PNG_SIZE_MAX; +# ifdef PNG_SET_USER_LIMITS_SUPPORTED + if (png_ptr->user_chunk_malloc_max > 0 && + png_ptr->user_chunk_malloc_max < limit) + limit = png_ptr->user_chunk_malloc_max; +# elif PNG_USER_CHUNK_MALLOC_MAX > 0 + if (PNG_USER_CHUNK_MALLOC_MAX < limit) + limit = PNG_USER_CHUNK_MALLOC_MAX; +# endif + if (png_ptr->push_length > limit) + png_chunk_error(png_ptr, "chunk data is too large"); + } + if (chunk_name == png_IHDR) { if (png_ptr->push_length != 13) |