[legacy] Check for sCAL chunk too short.
diff --git a/ANNOUNCE b/ANNOUNCE
index f9e2f82..5030b23 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,5 +1,5 @@
-Libpng 1.2.45beta03 - June 8, 2011
+Libpng 1.2.45beta03 - June 18, 2011
This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version.
@@ -113,8 +113,9 @@
Ported bugfix in pngrtran.c from 1.5.3: when expanding a paletted image,
always expand to RGBA if transparency is present.
-version 1.2.45beta02 [June 8, 2011]
+version 1.2.45beta02 [June 18, 2011]
Check for integer overflow in png_set_rgb_to_gray().
+ Check for sCAL chunk too short.
(subscription required; visit
https://lists.sourceforge.net/lists/listinfo/png-mng-implement
diff --git a/CHANGES b/CHANGES
index 04dff54..1d00cf1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2714,8 +2714,9 @@
Ported bugfix in pngrtran.c from 1.5.3: when expanding a paletted image,
always expand to RGBA if transparency is present.
-version 1.2.45beta02 [June 8, 2011]
+version 1.2.45beta02 [June 18, 2011]
Check for integer overflow in png_set_rgb_to_gray().
+ Check for sCAL chunk too short.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
diff --git a/pngrutil.c b/pngrutil.c
index 1e2db31..9e5ffd6 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -1812,6 +1812,14 @@
return;
}
+ /* Need unit type, width, \0, height: minimum 4 bytes */
+ else if (length < 4)
+ {
+ png_warning(png_ptr, "sCAL chunk too short");
+ png_crc_finish(png_ptr, length);
+ return;
+ }
+
png_debug1(2, "Allocating and reading sCAL chunk data (%lu bytes)",
length + 1);
png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);
