Portions of the patch not actually fixing the bug were removed. From fcf71a89265c78fc26243574dda3a872574a5c02 Mon Sep 17 00:00:00 2001 From: Andrea Mazzoleni <amadvance@gmail.com> Date: Fri, 1 Mar 2019 20:40:25 +0100 Subject: [PATCH] Fix a buffer overflow with image of invalid size --- doc/history.d | 4 ++-- (removed) lib/png.c | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/lib/png.c b/lib/png.c index cbf140b..f888a28 100644 --- a/lib/png.c +++ b/lib/png.c @@ -656,6 +656,11 @@ adv_error adv_png_read_ihdr( } *pix_pixel = pixel; + if (width_align < width) { + error_unsupported_set("Invalid image size"); + goto err; + } + if (data[10] != 0) { /* compression */ error_unsupported_set("Unsupported compression, %d instead of 0", (unsigned)data[10]); goto err;