Commit 3b556b8c authored by Andreas Tille's avatar Andreas Tille

Fix CVE-2016-5735

parent e1633c30
pngquant (2.5.0-2) unstable; urgency=medium
* Fix CVE-2016-5735 (Thanks for the patch to Emilio Pozuelo
Monfort <pochu@debian.org>)
Closes: 863469
-- Andreas Tille <tille@debian.org> Thu, 01 Jun 2017 10:05:51 +0200
pngquant (2.5.0-1) unstable; urgency=medium
* New upstream version
......
Author: Emilio Pozuelo Monfort <pochu@debian.org>
Last-Update: Wed, 31 May 2017 22:44:53 +0200
Bug-Debian: https://bugs.debian.org/863469
Description: CVE-2016-5735
--- a/rwpng.c
+++ b/rwpng.c
@@ -278,6 +278,12 @@ pngquant_error rwpng_read_image24_libpng
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
+ // For overflow safety reject images that won't fit in 32-bit
+ if (rowbytes > INT_MAX/mainprog_ptr->height) {
+ png_destroy_read_struct(&png_ptr, &info_ptr, NULL);
+ return PNG_OUT_OF_MEMORY_ERROR; /* not quite true, but whatever */
+ }
+
if ((mainprog_ptr->rgba_data = malloc(rowbytes*mainprog_ptr->height)) == NULL) {
fprintf(stderr, "pngquant readpng: unable to allocate image data\n");
png_destroy_read_struct(&png_ptr, &info_ptr, NULL);
CVE-2016-5735.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment