sysadmin/ipxe
1
0
Fork 0
mirror of https://github.com/ipxe/ipxe synced 2025-12-18 18:40:24 +03:00
Code Issues Packages Projects Releases Wiki Activity

[png] Fix potential integer overflow

Browse Source 
Signed-off-by: Michael Brown <mcb30@ipxe.org>
This commit is contained in:
Michael Brown
2020-06-04 22:09:11 +01:00
parent ebff21a515
commit d68befef1a
1 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/image/png.c
View File

@@ -924,9 +924,9 @@ static int png_pixbuf ( struct image *image, struct pixel_buffer **pixbuf ) {
/* Extract chunk header */
remaining = ( image->len - png->offset );
if ( remaining < sizeof ( header ) ) {
DBGC ( image, "PNG %s truncated chunk header at offset "
"%zd\n", image->name, png->offset );
if ( remaining < ( sizeof ( header ) + sizeof ( footer ) ) ) {
DBGC ( image, "PNG %s truncated chunk header/footer "
"at offset %zd\n", image->name, png->offset );
rc = -EINVAL;
goto err_truncated;
}
@@ -936,10 +936,10 @@ static int png_pixbuf ( struct image *image, struct pixel_buffer **pixbuf ) {
/* Validate chunk length */
chunk_len = ntohl ( header.len );
if ( remaining < ( sizeof ( header ) + chunk_len +
if ( chunk_len > ( remaining - sizeof ( header ) -
sizeof ( footer ) ) ) {
DBGC ( image, "PNG %s truncated chunk data/footer at "
"offset %zd\n", image->name, png->offset );
DBGC ( image, "PNG %s truncated chunk data at offset "
"%zd\n", image->name, png->offset );
rc = -EINVAL;
goto err_truncated;
}