Fix 695831: integer overflow in PNG and TIFF loaders.

author: Tor Andersson <tor.andersson@artifex.com> 2015-02-18 10:45:34 +0100
committer: Tor Andersson <tor.andersson@artifex.com> 2015-02-18 11:29:27 +0100
commit: 1c037cd7aeb3bad78ff0e2eda17b295252984056 (patch)
tree: f72665f256efa51338ddd587fc23972374818707 /source/fitz/load-png.c
parent: 2be707dc57c97b6647b33ca7349e2558f1f2b96f (diff)
download: mupdf-1c037cd7aeb3bad78ff0e2eda17b295252984056.tar.xz
1 files changed, 14 insertions, 1 deletions
diff --git a/source/fitz/load-png.c b/source/fitz/load-png.c
index 1cca89c0..9c947148 100644
--- a/source/fitz/load-png.c
+++ b/source/fitz/load-png.c
@@ -274,6 +274,8 @@ png_read_ihdr(fz_context *ctx, struct info *info, unsigned char *p, unsigned int
 		fz_throw(ctx, FZ_ERROR_GENERIC, "unknown filter method");
 	if (info->interlace != 0 && info->interlace != 1)
 		fz_throw(ctx, FZ_ERROR_GENERIC, "interlace method not supported");
+	if (info->height > UINT_MAX / info->width / info->n / (info->depth / 8 + 1))
+		fz_throw(ctx, FZ_ERROR_GENERIC, "image dimensions might overflow");
 }
 
 static void
@@ -572,7 +574,18 @@ fz_load_png(fz_context *ctx, unsigned char *p, int total)
 	fz_unpack_tile(ctx, image, png.samples, png.n, png.depth, stride, png.indexed);
 
 	if (png.indexed)
-		image = png_expand_palette(ctx, &png, image);
+	{
+		fz_try(ctx)
+		{
+			image = png_expand_palette(ctx, &png, image);
+		}
+		fz_catch(ctx)
+		{
+			fz_free(ctx, png.samples);
+			fz_drop_pixmap(ctx, image);
+			fz_rethrow(ctx);
+		}
+	}
 	else if (png.transparency)
 		png_mask_transparency(&png, image);
author	Tor Andersson <tor.andersson@artifex.com>	2015-02-18 10:45:34 +0100
committer	Tor Andersson <tor.andersson@artifex.com>	2015-02-18 11:29:27 +0100
commit	1c037cd7aeb3bad78ff0e2eda17b295252984056 (patch)
tree	f72665f256efa51338ddd587fc23972374818707 /source/fitz/load-png.c
parent	2be707dc57c97b6647b33ca7349e2558f1f2b96f (diff)
download	mupdf-1c037cd7aeb3bad78ff0e2eda17b295252984056.tar.xz