avoid too big pixel sizes

2 files changed, 16 insertions, 5 deletions

diff --git a/lodepng.cpp b/lodepng.cpp
index ee9f168..0c60dc2 100644
--- a/lodepng.cpp
+++ b/lodepng.cpp
@@ -4438,6 +4438,13 @@ static void decodeGeneric(unsigned char** out, unsigned* w, unsigned* h,
   state->error = lodepng_inspect(w, h, state, in, insize); /*reads header and resets other parameters in state->info_png*/
   if(state->error) return;
 
+  size_t numpixels = *w * *h;
+  if(*h != 0 && numpixels / *h != *w)
+  {
+    state->error = 92; /*multiplication overflow*/
+    return;
+  }
+
   ucvector_init(&idat);
   chunk = &in[33]; /*first byte of the first chunk after the header*/
 
@@ -5880,6 +5887,7 @@ const char* lodepng_error_text(unsigned code)
     /*the windowsize in the LodePNGCompressSettings. Requiring POT(==> & instead of %) makes encoding 12% faster.*/
     case 90: return "windowsize must be a power of two";
     case 91: return "invalid decompressed idat size";
+    case 92: return "too many pixels, not supported";
   }
   return "unknown error code";
 }
diff --git a/lodepng_unittest.cpp b/lodepng_unittest.cpp
index a633a97..f2b1cf7 100644
--- a/lodepng_unittest.cpp
+++ b/lodepng_unittest.cpp
@@ -1166,20 +1166,23 @@ void testFuzzing()
   std::vector<unsigned char> result;
   std::map<unsigned, unsigned> errors;
   unsigned w, h;
+  lodepng::State state;
+  state.decoder.ignore_crc = 1;
+  state.decoder.zlibsettings.ignore_adler32 = 1;
   for(size_t i = 0; i < png.size(); i++)
   {
     result.clear();
     broken[i] = ~png[i];
-    errors[lodepng::decode(result, w, h, broken)]++;
+    errors[lodepng::decode(result, w, h, state, broken)]++;
     broken[i] = 0;
-    errors[lodepng::decode(result, w, h, broken)]++;
+    errors[lodepng::decode(result, w, h, state, broken)]++;
     for(int j = 0; j < 8; j++)
     {
       broken[i] = flipBit(png[i], j);
-      errors[lodepng::decode(result, w, h, broken)]++;
+      errors[lodepng::decode(result, w, h, state, broken)]++;
     }
     broken[i] = 255;
-    errors[lodepng::decode(result, w, h, broken)]++;
+    errors[lodepng::decode(result, w, h, state, broken)]++;
     broken[i] = png[i]; //fix it again for the next test
   }
   std::cout << "testFuzzing shrinking" << std::endl;
@@ -1187,7 +1190,7 @@ void testFuzzing()
   while(broken.size() > 0)
   {
     broken.resize(broken.size() - 1);
-    errors[lodepng::decode(result, w, h, broken)]++;
+    errors[lodepng::decode(result, w, h, state, broken)]++;
   }
 
   //For fun, print the number of each error