[libpng15] Check validity of "num_unknowns" parameter
of png_set_unknown_chunks().
diff --git a/ANNOUNCE b/ANNOUNCE
index 6d0e8f4..6a95c3e 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,5 +1,5 @@
-Libpng 1.5.14beta08 - January 7, 2013
+Libpng 1.5.14beta08 - January 10, 2013
This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version.
@@ -73,7 +73,8 @@
which provide more extensive testing. Replaced pngtest.png because pngtest
writes the ancillary chunks in a different order.
-Version 1.5.14beta08 [January 7, 2013]
+Version 1.5.14beta08 [January 10, 2013]
+ Check validity of "num_unknowns" parameter of png_set_unknown_chunks().
===========================================================================
NOTICE November 17, 2012:
diff --git a/CHANGES b/CHANGES
index 292d34e..1bc7819 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3966,7 +3966,8 @@
which provide more extensive testing. Replaced pngtest.png because pngtest
writes the ancillary chunks in a different order.
-Version 1.5.14beta08 [January 7, 2013]
+Version 1.5.14beta08 [January 10, 2013]
+ Check validity of "num_unknowns" parameter of png_set_unknown_chunks().
===========================================================================
NOTICE November 17, 2012:
diff --git a/pngset.c b/pngset.c
index 95dbea8..6a1c109 100644
--- a/pngset.c
+++ b/pngset.c
@@ -1039,9 +1039,16 @@
if (png_ptr == NULL || info_ptr == NULL || num_unknowns == 0)
return;
- np = (png_unknown_chunkp)png_malloc_warn(png_ptr,
- (png_size_t)(info_ptr->unknown_chunks_num + num_unknowns) *
- png_sizeof(png_unknown_chunk));
+ if (num_unknowns < 0 ||
+ num_unknowns >= UINT_MAX-info_ptr->unknown_chunks_num ||
+ num_unknowns >= PNG_SIZE_MAX/png_sizeof(png_unknown_chunk)
+ - info_ptr->unknown_chunks_num)
+ np=NULL;
+
+ else
+ np = (png_unknown_chunkp)png_malloc_warn(png_ptr,
+ (png_size_t)(info_ptr->unknown_chunks_num + num_unknowns) *
+ png_sizeof(png_unknown_chunk));
if (np == NULL)
{
