diff options
author | Lode <lvandeve@gmail.com> | 2014-11-20 01:47:54 +0100 |
---|---|---|
committer | Lode <lvandeve@gmail.com> | 2014-11-20 01:47:54 +0100 |
commit | 76577a213aead1da174b3afb234720438261a533 (patch) | |
tree | aa0b7155234f1c2ac1a085de53bc645dc6eb6cce | |
parent | a2c1203a0cdafee8e89fd116f512e5d96d94d27b (diff) |
avoid too big pixel sizes
-rw-r--r-- | lodepng.cpp | 8 | ||||
-rw-r--r-- | lodepng_unittest.cpp | 13 |
2 files changed, 16 insertions, 5 deletions
diff --git a/lodepng.cpp b/lodepng.cpp index ee9f168..0c60dc2 100644 --- a/lodepng.cpp +++ b/lodepng.cpp @@ -4438,6 +4438,13 @@ static void decodeGeneric(unsigned char** out, unsigned* w, unsigned* h, state->error = lodepng_inspect(w, h, state, in, insize); /*reads header and resets other parameters in state->info_png*/ if(state->error) return; + size_t numpixels = *w * *h; + if(*h != 0 && numpixels / *h != *w) + { + state->error = 92; /*multiplication overflow*/ + return; + } + ucvector_init(&idat); chunk = &in[33]; /*first byte of the first chunk after the header*/ @@ -5880,6 +5887,7 @@ const char* lodepng_error_text(unsigned code) /*the windowsize in the LodePNGCompressSettings. Requiring POT(==> & instead of %) makes encoding 12% faster.*/ case 90: return "windowsize must be a power of two"; case 91: return "invalid decompressed idat size"; + case 92: return "too many pixels, not supported"; } return "unknown error code"; } diff --git a/lodepng_unittest.cpp b/lodepng_unittest.cpp index a633a97..f2b1cf7 100644 --- a/lodepng_unittest.cpp +++ b/lodepng_unittest.cpp @@ -1166,20 +1166,23 @@ void testFuzzing() std::vector<unsigned char> result; std::map<unsigned, unsigned> errors; unsigned w, h; + lodepng::State state; + state.decoder.ignore_crc = 1; + state.decoder.zlibsettings.ignore_adler32 = 1; for(size_t i = 0; i < png.size(); i++) { result.clear(); broken[i] = ~png[i]; - errors[lodepng::decode(result, w, h, broken)]++; + errors[lodepng::decode(result, w, h, state, broken)]++; broken[i] = 0; - errors[lodepng::decode(result, w, h, broken)]++; + errors[lodepng::decode(result, w, h, state, broken)]++; for(int j = 0; j < 8; j++) { broken[i] = flipBit(png[i], j); - errors[lodepng::decode(result, w, h, broken)]++; + errors[lodepng::decode(result, w, h, state, broken)]++; } broken[i] = 255; - errors[lodepng::decode(result, w, h, broken)]++; + errors[lodepng::decode(result, w, h, state, broken)]++; broken[i] = png[i]; //fix it again for the next test } std::cout << "testFuzzing shrinking" << std::endl; @@ -1187,7 +1190,7 @@ void testFuzzing() while(broken.size() > 0) { broken.resize(broken.size() - 1); - errors[lodepng::decode(result, w, h, broken)]++; + errors[lodepng::decode(result, w, h, state, broken)]++; } //For fun, print the number of each error |