Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2025-02-17 22:32:51 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1288588 - Exit on bad CRC in fcTL or fdAT chunk in an APNG file. r=jrmuizel

Browse Source
This commit is contained in:
Glenn Randers-Pehrson 2016-08-12 21:31:31 -04:00
parent 6434d6daf4
commit dc0ab41166
4 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
image/decoders/nsPNGDecoder.cpp
View File

@ -973,6 +973,14 @@ nsPNGDecoder::frame_info_callback(png_structp png_ptr, png_uint_32 frame_num)
png_get_next_frame_width(png_ptr, decoder->mInfo),
png_get_next_frame_height(png_ptr, decoder->mInfo));
#ifndef PNGLCONF_H
// if using system library, check frame_width and height against 0
if (frameRect.width == 0)
png_error(png_ptr, "Frame width must not be 0");
if (frameRect.height == 0)
png_error(png_ptr, "Frame height must not be 0");
#endif
const bool isInterlaced = bool(decoder->interlacebuf);
decoder->mNextFrameInfo = Some(FrameInfo{ decoder->format,

4
media/libpng/apng.patch
View File

@ -1045,9 +1045,9 @@ Index: pngset.c
+ png_byte dispose_op, png_byte blend_op)
+{
+ if (width == 0 || width > PNG_UINT_31_MAX)
+ png_error(png_ptr, "invalid width in fcTL (> 2^31-1)");
+ png_error(png_ptr, "invalid width in fcTL (0 or > 2^31-1)");
+ if (height == 0 || height > PNG_UINT_31_MAX)
+ png_error(png_ptr, "invalid height in fcTL (> 2^31-1)");
+ png_error(png_ptr, "invalid height in fcTL (0 or > 2^31-1)");
+ if (x_offset > PNG_UINT_31_MAX)
+ png_error(png_ptr, "invalid x_offset in fcTL (> 2^31-1)");
+ if (y_offset > PNG_UINT_31_MAX)

2
media/libpng/pnglibconf.h
View File

@ -5,6 +5,8 @@
#ifndef PNGLCONF_H
#define PNGLCONF_H
#define MOZ_EMBEDDED_LIBPNG
/* Limit image dimensions (bug #251381, #591822, #967656, and #1283961) */
#ifndef MOZ_PNG_MAX_WIDTH
# define MOZ_PNG_MAX_WIDTH 0x7fffffffL /* Unlimited */

4
media/libpng/pngset.c
View File

@ -1196,9 +1196,9 @@ png_ensure_fcTL_is_valid(png_structp png_ptr,
png_byte dispose_op, png_byte blend_op)
{
if (width == 0 || width > PNG_UINT_31_MAX)
png_error(png_ptr, "invalid width in fcTL (> 2^31-1)");
png_error(png_ptr, "invalid width in fcTL (0 or > 2^31-1)");
if (height == 0 || height > PNG_UINT_31_MAX)
png_error(png_ptr, "invalid height in fcTL (> 2^31-1)");
png_error(png_ptr, "invalid height in fcTL (0 or > 2^31-1)");
if (x_offset > PNG_UINT_31_MAX)
png_error(png_ptr, "invalid x_offset in fcTL (> 2^31-1)");
if (y_offset > PNG_UINT_31_MAX)