Commits

Anonymous committed 7227885

- MFB: #86, Possible infinite loop in libgd/gd_png.c

Comments (0)

Files changed (3)

 72, gdImageAALine draws axis lines with two pixels width
 73, TTF usage doesn't work properly on Netware (Guenter Knauf, Scott MacVicar)
 74, gdImageArc CPU usage with large angles
+78, gdImageFilledRectangle regression fixed when used with reversed edges
+86, Possible infinite loop in libgd/gd_png.c, flaw found by Xavier Roche
+    (Pierre)
 
 GD 2.0.34 (2007-02-07)
  3, Initialize variables in tweenColorTest, fix cache
 static void
 gdPngReadData (png_structp png_ptr, png_bytep data, png_size_t length)
 {
-  gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr));
+  int check;
+  check = gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr));
+  if (check != length) {
+    png_error(png_ptr, "Read Error: truncated data");
+  }
 }
 
 static void

src/tests/png/bug00086.c

+/* $Id$ */
+/* id: gdbad3.c, Xavier Roche, May. 2007 */
+/* gcc gdbad3.c -o bad -lgd && ./bad */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include "gd.h"
+
+static const unsigned char pngdata[93];
+int main(void) {
+	FILE *fp;
+	gdImagePtr im;
+	int i;
+	size_t out;
+
+	if ( ( im = gdImageCreateFromPngPtr(93, (char*) &pngdata[0]) ) == NULL) {
+		fprintf(stderr, "success!\n");
+		return 0;
+	} else {
+		fprintf(stderr, "failed!\n");
+		gdImageDestroy(im);
+		return 1;
+	}
+	return 0;
+}
+
+/* PNG data */
+static const unsigned char pngdata[93] = {137,80,78,71,13,10,26,10,0,0,
+0,13,73,72,68,82,0,0,0,120,0,0,0,131,8,6,0,0,0,70,49,223,8,0,0,0,6,98,
+75,71,68,0,255,0,255,0,255,160,189,167,147,0,0,0,9,112,72,89,115,0,0,92,
+70,0,0,92,70,1,20,148,67,65,0,0,0,9,118,112,65,103,0,0,0,120,0,0,0,131,
+0,226,13,249,45};
+