diff options
author | June McEnroe <june@causal.agency> | 2018-10-28 21:53:53 -0400 |
---|---|---|
committer | June McEnroe <june@causal.agency> | 2018-10-28 21:53:53 -0400 |
commit | 69eb11b847e475e1f9cee55da55c5018f6a9cc59 (patch) | |
tree | 6968ce30da0148326b133c67c93d31403623ddec /bin | |
parent | Remove other building bindings for engineer (diff) | |
download | src-69eb11b847e475e1f9cee55da55c5018f6a9cc59.tar.gz src-69eb11b847e475e1f9cee55da55c5018f6a9cc59.zip |
Prevent buffer overflows in pngo
Diffstat (limited to '')
-rw-r--r-- | bin/pngo.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/bin/pngo.c b/bin/pngo.c index 6835642d..52222efd 100644 --- a/bin/pngo.c +++ b/bin/pngo.c @@ -110,8 +110,12 @@ static void skipChunk(struct Chunk chunk) { if (!(chunk.type[0] & 0x20)) { errx(EX_CONFIG, "%s: unsupported critical chunk %s", path, typeStr(chunk)); } - uint8_t discard[chunk.size]; - readExpect(discard, sizeof(discard), "chunk data"); + uint8_t discard[4096]; + while (chunk.size > sizeof(discard)) { + readExpect(discard, sizeof(discard), "chunk data"); + chunk.size -= sizeof(discard); + } + if (chunk.size) readExpect(discard, chunk.size, "chunk data"); readCrc(); } @@ -307,6 +311,10 @@ static void readPalette(struct Chunk chunk) { } palette.len = chunk.size / 3; + if (palette.len > 256) { + errx(EX_DATAERR, "%s: PLTE length %u > 256", path, palette.len); + } + readExpect(palette.entries, chunk.size, "palette data"); readCrc(); @@ -323,6 +331,9 @@ static void writePalette(void) { static void readTrans(struct Chunk chunk) { trans.len = chunk.size; + if (trans.len > 256) { + errx(EX_DATAERR, "%s: tRNS length %u > 256", path, trans.len); + } readExpect(trans.alpha, chunk.size, "transparency alpha"); readCrc(); if (verbose) fprintf(stderr, "%s: transparency length %u\n", path, trans.len); |