summaryrefslogtreecommitdiff
path: root/pngrutil.c
diff options
context:
space:
mode:
authorGlenn Randers-Pehrson <glennrp at users.sourceforge.net>2017-08-06 10:24:04 -0500
committerGlenn Randers-Pehrson <glennrp at users.sourceforge.net>2017-08-06 10:24:04 -0500
commitcf713fb0ab5854c6d8ccb9c17420f78afbc77908 (patch)
treeefec04ab9b0263e731f46ef38eb2e836cf9de51c /pngrutil.c
parentc82ae40e9f7ac15e5f58492955ea9c6d8bdc72a7 (diff)
downloadlibpng-cf713fb0ab5854c6d8ccb9c17420f78afbc77908.tar.gz
[libpng16] Check that the eXIf chunk has at least 2 bytes and begins
with "II" or "MM".
Diffstat (limited to 'pngrutil.c')
-rw-r--r--pngrutil.c14
1 files changed, 14 insertions, 0 deletions
diff --git a/pngrutil.c b/pngrutil.c
index 949a6720b..68b955fbf 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -2035,6 +2035,13 @@ png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
png_chunk_error(png_ptr, "missing IHDR");
+ if (length < 2)
+ {
+ png_crc_finish(png_ptr, length);
+ png_chunk_benign_error(png_ptr, "too short");
+ return;
+ }
+
else if (info_ptr == NULL || (info_ptr->valid & PNG_INFO_eXIf) != 0)
{
png_crc_finish(png_ptr, length);
@@ -2059,6 +2066,13 @@ png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
png_byte buf[1];
png_crc_read(png_ptr, buf, 1);
info_ptr->eXIf_buf[i] = buf[0];
+ if (i == 2 && buf[0] != 'M' && buf[0] != 'I'
+ && info_ptr->eXIf_buf[0] != buf[0])
+ {
+ png_crc_finish(png_ptr, length);
+ png_chunk_benign_error(png_ptr, "incorrect byte-order specifier");
+ return;
+ }
}
if (png_crc_finish(png_ptr, 0) != 0)
View Lorry Controller Status