search

pnggroup / libpng

LIBPNG: Portable Network Graphics support, official libpng repository
http://libpng.sf.net
Other
1.25k stars 611 forks source link

Possible integer overflow in pngtests.c #567

Open ashamedbit opened 2 months ago

ashamedbit commented 2 months ago

In the file ./libpng/contrib/libtests/pngstest.c on line 669, there is a line: size_t size = PNG_IMAGE_BUFFER_SIZE(image->image, image->stride);

This resolves into: (((((image->image).format)&0x08U)?1:(((((image->image).format) & 0x04U) >> 2)+1))*(image->image).height*(image->stride)).

Here (image->image).height is an unsigned integer and image->stride is a long variable . The final output variable size is unsigned long. However multiplication result may overflow 'unsigned int' before it is converted to 'long'.

The definition of PNG_IMAGE_BUFFER_SIZE should be: (((((image->image).format)&0x08U)?1: (size_t) (((((image->image).format) & 0x04U) >> 2)+1))*(image->image).height*(image->stride)).

jbowler commented 2 months ago

See the comments in png.h where the macro is defined. The pngstest code allocates a short buffer and png_image_finish_read fails without using it (in libpng 1.6).

Anyway if pngstest failed in this way libpng would not build; pngstest is only run with the test files in contrib/testpngs.