diff options
author | Henrik Smiding <henrik.smiding@intel.com> | 2015-02-20 13:01:11 +0100 |
---|---|---|
committer | Michael Bestas <mikeioannina@gmail.com> | 2015-02-27 03:25:00 +0200 |
commit | 54f66be12723cd6928eae581cff36c3437b03d9e (patch) | |
tree | ca69bceb1cce4ffc4cf8d3cccbef615507d28edb | |
parent | 8594e1a8521b2cbdd941719b929b15ba943b1d4a (diff) | |
download | android_external_libpng-54f66be12723cd6928eae581cff36c3437b03d9e.tar.gz android_external_libpng-54f66be12723cd6928eae581cff36c3437b03d9e.tar.bz2 android_external_libpng-54f66be12723cd6928eae581cff36c3437b03d9e.zip |
Fix buffer overflow security vulnerability (CVE-2014-9495)
Fixes the heap-based buffer overflow in the png_combine_row
function, when running on 64-bit systems. Might allow context-
dependent attackers to execute arbitrary code via a
"very wide interlaced" PNG image.
This is a cherry-pick of commit dc294204b641373bc6eb603075a8b98f51a75dd8
from upstream branch libpng16
bug: 19474828
Signed-off-by: Henrik Smiding <henrik.smiding@intel.com>
Change-Id: If8708a8e48afd61de36bb897d222972979a4e892
-rw-r--r-- | pngrutil.c | 6 |
1 files changed, 3 insertions, 3 deletions
@@ -3028,7 +3028,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display) { unsigned int pixel_depth = png_ptr->transformed_pixel_depth; png_const_bytep sp = png_ptr->row_buf + 1; - png_uint_32 row_width = png_ptr->width; + png_alloc_size_t row_width = png_ptr->width; unsigned int pass = png_ptr->pass; png_bytep end_ptr = 0; png_byte end_byte = 0; @@ -3301,7 +3301,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display) /* But don't allow this number to exceed the actual row width. */ if (bytes_to_copy > row_width) - bytes_to_copy = row_width; + bytes_to_copy = (unsigned int)/*SAFE*/row_width; } else /* normal row; Adam7 only ever gives us one pixel to copy. */ @@ -3481,7 +3481,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display) dp += bytes_to_jump; row_width -= bytes_to_jump; if (bytes_to_copy > row_width) - bytes_to_copy = row_width; + bytes_to_copy = (unsigned int)/*SAFE*/row_width; } } |