pngdec,ReadFunc: throw an error on invalid read
convert the assert() to an error check to avoid crashing when reading malformed files. BUG=webp:302 Change-Id: I25eed9cab5c0a439bd3411beacc83f3a27af2bbf
This commit is contained in:
parent
38063af131
commit
bb50bf42b0
@ -18,7 +18,6 @@
|
|||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
|
|
||||||
#ifdef WEBP_HAVE_PNG
|
#ifdef WEBP_HAVE_PNG
|
||||||
#include <assert.h>
|
|
||||||
#include <png.h>
|
#include <png.h>
|
||||||
#include <setjmp.h> // note: this must be included *after* png.h
|
#include <setjmp.h> // note: this must be included *after* png.h
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
@ -198,7 +197,9 @@ typedef struct {
|
|||||||
|
|
||||||
static void ReadFunc(png_structp png_ptr, png_bytep data, png_size_t length) {
|
static void ReadFunc(png_structp png_ptr, png_bytep data, png_size_t length) {
|
||||||
PNGReadContext* const ctx = (PNGReadContext*)png_get_io_ptr(png_ptr);
|
PNGReadContext* const ctx = (PNGReadContext*)png_get_io_ptr(png_ptr);
|
||||||
assert(ctx->offset + length <= ctx->data_size);
|
if (ctx->data_size - ctx->offset < length) {
|
||||||
|
png_error(png_ptr, "ReadFunc: invalid read length (overflow)!");
|
||||||
|
}
|
||||||
memcpy(data, ctx->data + ctx->offset, length);
|
memcpy(data, ctx->data + ctx->offset, length);
|
||||||
ctx->offset += length;
|
ctx->offset += length;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user