diff options
author | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2015-08-19 12:52:39 -0500 |
---|---|---|
committer | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2015-08-19 12:52:39 -0500 |
commit | c357fb70b5de63862a9737c645a83e2d980c2e75 (patch) | |
tree | 7b6ab3784232fcea0aa49e7e743bea5c59dc7c77 /pngrutil.c | |
parent | a88dec67f23385c91e94db9fd6422f4993b37847 (diff) | |
download | libpng-c357fb70b5de63862a9737c645a83e2d980c2e75.tar.gz |
[lbipng15] Fixed the recently reported 1's complement security issue by
replacing the value that is illegal in the PNG spec, in both signed and
unsigned values, with 0. Illegal unsigned values (anything greater than or
equal to 0x80000000) can still pass through, but since these are not illegal
in ANSI-C (unlike 0x80000000 in the signed case) the checking that
occurs later can catch them (John Bowler).
Safely convert num_bytes to a png_byte in png_set_sig_bytes() (Robert
Seacord).
Diffstat (limited to 'pngrutil.c')
-rw-r--r-- | pngrutil.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/pngrutil.c b/pngrutil.c index dccca52c4..ae1727a52 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -89,7 +89,13 @@ png_get_int_32)(png_const_bytep buf) return uval; uval = (uval ^ 0xffffffff) + 1; /* 2's complement: -x = ~x+1 */ - return -(png_int_32)uval; + if ((uval & 0x80000000) == 0) /* no overflow */ + return -(png_int_32)uval; + /* The following has to be safe; this function only gets called on PNG data + * and if we get here that data is invalid. 0 is the most safe value and + * if not then an attacker would surely just generate a PNG with 0 instead. + */ + return 0; } /* Grab an unsigned 16-bit integer from a buffer in big-endian format. */ |