diff options
author | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2017-08-06 08:25:56 -0500 |
---|---|---|
committer | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2017-08-06 08:25:56 -0500 |
commit | 099558d1003c794049d65b3ea70275ec731ad77c (patch) | |
tree | c5b7c63a53e11875bd4234c0b54ddaaf3e6a11a8 /pngrutil.c | |
parent | 8ed418b042ac58fdd8da2818917cd2f478cbe466 (diff) | |
download | libpng-099558d1003c794049d65b3ea70275ec731ad77c.tar.gz |
[libpng16] Relocate the iCCP length test to a point after reading the keyword
Diffstat (limited to 'pngrutil.c')
-rw-r--r-- | pngrutil.c | 23 |
1 files changed, 13 insertions, 10 deletions
diff --git a/pngrutil.c b/pngrutil.c index 8656fa5b5..d87484632 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -1380,17 +1380,7 @@ png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) * chunk is just ignored, so does not invalidate the color space. An * alternative is to set the 'invalid' flags at the start of this routine * and only clear them in they were not set before and all the tests pass. - * The minimum 'zlib' stream is assumed to be just the 2 byte header, - * 5 bytes minimum 'deflate' stream, and the 4 byte checksum. The keyword - * must be at least one character and there is a terminator (0) byte and - * the compression method. */ - if (length < 14) - { - png_crc_finish(png_ptr, length); - png_chunk_benign_error(png_ptr, "too short"); - return; - } /* If a colorspace error has already been output skip this chunk */ if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0) @@ -1417,6 +1407,19 @@ png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) png_crc_read(png_ptr, (png_bytep)keyword, read_length); length -= read_length; + /* The minimum 'zlib' stream is assumed to be just the 2 byte header, + * 5 bytes minimum 'deflate' stream, and the 4 byte checksum. The keyword + * must be at least one character and there is a terminator (0) byte and + * the compression method. + */ + + if (length < 14) + { + png_crc_finish(png_ptr, length); + png_chunk_benign_error(png_ptr, "too short"); + return; + } + keyword_length = 0; while (keyword_length < 80 && keyword_length < read_length && keyword[keyword_length] != 0) |