Bug 154996 - PNGs with invalid IHDR can crash/hang browser. rs=tor

2024-11-26 14:22:01 +00:00 · 2002-06-29 20:11:33 +00:00 · 2002-06-29 20:11:33 +00:00 · db6ae294df
commit db6ae294df
parent 62df86dd33
2 changed files with 10 additions and 0 deletions
--- a/modules/libimg/png/MOZCHANGES
+++ b/modules/libimg/png/MOZCHANGES
@ -14,3 +14,6 @@ Bug 81794 - crash/leak fix for pngrutil.c
 Bug 135579 - small interlaced PNG images not decoded correctly.
 	Affected files: pngpread.c

+Bug 154996 - PNG files with invalid IHDR can crash/hand browser.
+	Affected files: pngpread.c
+
--- a/modules/libimg/png/pngpread.c
+++ b/modules/libimg/png/pngpread.c
@ -736,6 +736,13 @@ png_process_IDAT_data(png_structp png_ptr, png_bytep buffer,
      }
      if (!(png_ptr->zstream.avail_out))
      {
+         if ((
+#if defined(PNG_READ_INTERLACING_SUPPORTED)
+             png_ptr->interlaced && png_ptr->pass > 6) ||
+             (!png_ptr->interlaced &&
+#endif
+             png_ptr->row_number == png_ptr->num_rows-1))
+           png_error(png_ptr, "Too much data in IDAT chunks");
         png_push_process_row(png_ptr);
         png_ptr->zstream.avail_out = (uInt)png_ptr->irowbytes;
         png_ptr->zstream.next_out = png_ptr->row_buf;