|
From: John B. <joh...@gm...> - 2014-12-21 21:57:44
|
Testing 1.6 rc01 on 64-bit systems to ensure that the problem doesn't arise there reveals an unrelated overflow which causes a SEGV on certain interlaced files with very long rows. The problem happens around line 3257 of pngrutil.c, where the png_uint_32 value 'row_width', the width to process in pixels, is multiplied by pixels-per-byte. This can overflow, resulting in row_width becoming 0, which causes bytes_to_copy to become 0 which leads to an infinite do-while loop in the default switch case below, around line 3390. row_width should be png_alloc_size_t, then we know that the overflow cannot occur because row_width * 8 (the maximum pixel-bytes) fits in a size_t. I'm going to test that change, but it may require other changes because of the places where row_bytes is assigned to bytes_to_copy. John Bowler |