narenas
/
opengnsys_ipxe
mirror of https://github.com/ipxe/ipxe.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[png] Fix potential integer overflow 

Signed-off-by: Michael Brown <mcb30@ipxe.org>
pull/115/head
Michael Brown 2020-06-04 22:09:11 +01:00
parent ebff21a515
commit d68befef1a
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/image/png.c
View File

@ -924,9 +924,9 @@ static int png_pixbuf ( struct image *image, struct pixel_buffer **pixbuf ) {
/* Extract chunk header */
remaining = ( image->len - png->offset );
if ( remaining < sizeof ( header ) ) {
DBGC ( image, "PNG %s truncated chunk header at offset "
"%zd\n", image->name, png->offset );
if ( remaining < ( sizeof ( header ) + sizeof ( footer ) ) ) {
DBGC ( image, "PNG %s truncated chunk header/footer "
"at offset %zd\n", image->name, png->offset );
rc = -EINVAL;
goto err_truncated;
}
@ -936,10 +936,10 @@ static int png_pixbuf ( struct image *image, struct pixel_buffer **pixbuf ) {
/* Validate chunk length */
chunk_len = ntohl ( header.len );
if ( remaining < ( sizeof ( header ) + chunk_len +
if ( chunk_len > ( remaining - sizeof ( header ) -
sizeof ( footer ) ) ) {
DBGC ( image, "PNG %s truncated chunk data/footer at "
"offset %zd\n", image->name, png->offset );
DBGC ( image, "PNG %s truncated chunk data at offset "
"%zd\n", image->name, png->offset );
rc = -EINVAL;
goto err_truncated;
}