Mercurial > libavcodec.hg

diff png.c @ 2422:18b8b2dcc037 libavcodec

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
various security fixes and precautionary checks
author michael
date Wed, 12 Jan 2005 00:16:25 +0000
parents c6280d48be02
children f67b63ed036d
line wrap: on
line diff
--- a/png.c	Tue Jan 11 08:16:04 2005 +0000
+++ b/png.c	Wed Jan 12 00:16:25 2005 +0000
@@ -140,6 +140,8 @@
 #endif
 static void *png_zalloc(void *opaque, unsigned int items, unsigned int size)
 {
+    if(items >= UINT_MAX / size)
+        return NULL;
     return av_malloc(items * size);
 }
 
@@ -522,6 +524,10 @@
                 goto fail;
             s->width = get32(&s->bytestream);
             s->height = get32(&s->bytestream);
+            if(avcodec_check_dimensions(avctx, s->width, s->height)){
+                s->width= s->height= 0;
+                goto fail;
+            }
             s->bit_depth = *s->bytestream++;
             s->color_type = *s->bytestream++;
             s->compression_type = *s->bytestream++;
@@ -727,7 +733,8 @@
         if (ret != Z_OK)
             return -1;
         if (s->zstream.avail_out == 0) {
-            png_write_chunk(&s->bytestream, MKTAG('I', 'D', 'A', 'T'), s->buf, IOBUF_SIZE);
+            if(s->bytestream_end - s->bytestream > IOBUF_SIZE + 100)
+                png_write_chunk(&s->bytestream, MKTAG('I', 'D', 'A', 'T'), s->buf, IOBUF_SIZE);
             s->zstream.avail_out = IOBUF_SIZE;
             s->zstream.next_out = s->buf;
         }
@@ -895,7 +902,7 @@
         ret = deflate(&s->zstream, Z_FINISH);
         if (ret == Z_OK || ret == Z_STREAM_END) {
             len = IOBUF_SIZE - s->zstream.avail_out;
-            if (len > 0) {
+            if (len > 0 && s->bytestream_end - s->bytestream > len + 100) {
                 png_write_chunk(&s->bytestream, MKTAG('I', 'D', 'A', 'T'), s->buf, len);
             }
             s->zstream.avail_out = IOBUF_SIZE;