protect against invalid chunk lengths in some tools

author: Lode <lvandeve@gmail.com> 2014-11-18 23:37:42 +0100
committer: Lode <lvandeve@gmail.com> 2014-11-18 23:37:42 +0100
commit: ba274d5b98d1582bba47a1591c9e02b1ff421352 (patch)
tree: 63a82d5e567b17bc140d67119ce8fd417651b972 /lodepng_util.cpp
parent: c7353101cea671073ba1a9f4ca9f4cf7e8dbc944 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/lodepng_util.cpp b/lodepng_util.cpp
index 3784b6e..ed054f0 100644
--- a/lodepng_util.cpp
+++ b/lodepng_util.cpp
@@ -51,8 +51,10 @@ unsigned getChunkInfo(std::vector<std::string>& names, std::vector<size_t>& size
     lodepng_chunk_type(type, chunk);
     if(std::string(type).size() != 4) return 1;
 
+    unsigned length = lodepng_chunk_length(chunk);
+    if(chunk + length >= end) return 1;
     names.push_back(type);
-    sizes.push_back(lodepng_chunk_length(chunk));
+    sizes.push_back(length);
 
     chunk = lodepng_chunk_next_const(chunk);
   }
@@ -180,6 +182,7 @@ unsigned getFilterTypesInterlaced(std::vector<std::vector<unsigned char> >& filt
     {
       const unsigned char* cdata = lodepng_chunk_data_const(chunk);
       unsigned clength = lodepng_chunk_length(chunk);
+      if(chunk + clength >= end) return 1; // corrupt chunk length
 
       for(unsigned i = 0; i < clength; i++)
       {
author	Lode <lvandeve@gmail.com>	2014-11-18 23:37:42 +0100
committer	Lode <lvandeve@gmail.com>	2014-11-18 23:37:42 +0100
commit	ba274d5b98d1582bba47a1591c9e02b1ff421352 (patch)
tree	63a82d5e567b17bc140d67119ce8fd417651b972 /lodepng_util.cpp
parent	c7353101cea671073ba1a9f4ca9f4cf7e8dbc944 (diff)