Security fix for overflow check. am: ebb6f04c88 am: d44ed48f0c
am: 6d524288a4
Change-Id: Iafdbd4ddc9bc692dd46c16a53369c7c6169e9cff
diff --git a/gdx/jni/gdx2d/stb_image.h b/gdx/jni/gdx2d/stb_image.h
index cf9ab59..d91b308 100644
--- a/gdx/jni/gdx2d/stb_image.h
+++ b/gdx/jni/gdx2d/stb_image.h
@@ -4460,7 +4460,7 @@
return stbi__err("Bad x","Bad x");
// initial guess for decoded data size to avoid unnecessary reallocs
bpl = (s->img_x * depth + 7) / 8; // bytes per line, per component
- if (bpl > (INT_MAX - s->img_y) / bpl / s->img_y)
+ if (bpl > (INT_MAX - s->img_y) / s->img_n / s->img_y)
return stbi__err("Integer Overflow","y incorrect");
raw_len = bpl * s->img_y * s->img_n /* pixels */ + s->img_y /* filter mode per row */;
z->expanded = (stbi_uc *) stbi_zlib_decode_malloc_guesssize_headerflag((char *) z->idata, ioff, raw_len, (int *) &raw_len, !is_iphone);
