Fix buffer overflow security vulnerability (CVE-2014-9495)
Fixes the heap-based buffer overflow in the png_combine_row
function, when running on 64-bit systems. Might allow context-
dependent attackers to execute arbitrary code via a
"very wide interlaced" PNG image.
This is a cherry-pick of commit dc294204b641373bc6eb603075a8b98f51a75dd8
from upstream branch libpng16
bug: 19474828
Signed-off-by: Henrik Smiding <henrik.smiding@intel.com>
Change-Id: If8708a8e48afd61de36bb897d222972979a4e892
diff --git a/pngrutil.c b/pngrutil.c
index 9638bed..381d830 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -3028,7 +3028,7 @@
{
unsigned int pixel_depth = png_ptr->transformed_pixel_depth;
png_const_bytep sp = png_ptr->row_buf + 1;
- png_uint_32 row_width = png_ptr->width;
+ png_alloc_size_t row_width = png_ptr->width;
unsigned int pass = png_ptr->pass;
png_bytep end_ptr = 0;
png_byte end_byte = 0;
@@ -3301,7 +3301,7 @@
/* But don't allow this number to exceed the actual row width. */
if (bytes_to_copy > row_width)
- bytes_to_copy = row_width;
+ bytes_to_copy = (unsigned int)/*SAFE*/row_width;
}
else /* normal row; Adam7 only ever gives us one pixel to copy. */
@@ -3481,7 +3481,7 @@
dp += bytes_to_jump;
row_width -= bytes_to_jump;
if (bytes_to_copy > row_width)
- bytes_to_copy = row_width;
+ bytes_to_copy = (unsigned int)/*SAFE*/row_width;
}
}
