Browse Source

Prevent buffer overflows in pngo

June 1 month ago
parent
commit
69eb11b847
Signed by: Curtis McEnroe <june@causal.agency> GPG Key ID: CEA2F97ADCFCD77C
1 changed files with 13 additions and 2 deletions
  1. 13
    2
      bin/pngo.c

+ 13
- 2
bin/pngo.c View File

@@ -110,8 +110,12 @@ static void skipChunk(struct Chunk chunk) {
110 110
 	if (!(chunk.type[0] & 0x20)) {
111 111
 		errx(EX_CONFIG, "%s: unsupported critical chunk %s", path, typeStr(chunk));
112 112
 	}
113
-	uint8_t discard[chunk.size];
114
-	readExpect(discard, sizeof(discard), "chunk data");
113
+	uint8_t discard[4096];
114
+	while (chunk.size > sizeof(discard)) {
115
+		readExpect(discard, sizeof(discard), "chunk data");
116
+		chunk.size -= sizeof(discard);
117
+	}
118
+	if (chunk.size) readExpect(discard, chunk.size, "chunk data");
115 119
 	readCrc();
116 120
 }
117 121
 
@@ -307,6 +311,10 @@ static void readPalette(struct Chunk chunk) {
307 311
 	}
308 312
 
309 313
 	palette.len = chunk.size / 3;
314
+	if (palette.len > 256) {
315
+		errx(EX_DATAERR, "%s: PLTE length %u > 256", path, palette.len);
316
+	}
317
+
310 318
 	readExpect(palette.entries, chunk.size, "palette data");
311 319
 	readCrc();
312 320
 
@@ -323,6 +331,9 @@ static void writePalette(void) {
323 331
 
324 332
 static void readTrans(struct Chunk chunk) {
325 333
 	trans.len = chunk.size;
334
+	if (trans.len > 256) {
335
+		errx(EX_DATAERR, "%s: tRNS length %u > 256", path, trans.len);
336
+	}
326 337
 	readExpect(trans.alpha, chunk.size, "transparency alpha");
327 338
 	readCrc();
328 339
 	if (verbose) fprintf(stderr, "%s: transparency length %u\n", path, trans.len);

Loading…
Cancel
Save