- Improves handling of certain invalid PNGs by stb_imageepel9
Benjamin A. Beasley
2 years ago
parent
382f123204
commit
67ed2c4abc
@ -0,0 +1,32 @@
|
||||
From b5d9d9719b001c67ca922df547a85a0fae364997 Mon Sep 17 00:00:00 2001
|
||||
From: Neil Bickford <nbickford@nvidia.com>
|
||||
Date: Fri, 15 Oct 2021 11:04:41 -0700
|
||||
Subject: [PATCH] stb_image PNG: Checks for invalid DEFLATE codes.
|
||||
|
||||
Specifically, this rejects length codes 286 and 287, and distance codes 30 and 31.
|
||||
This avoids a scenario in which a file could contain a table in which
|
||||
0 corresponded to length code 287, which would result in writing 0 bits.
|
||||
|
||||
Signed-off-by: Neil Bickford <nbickford@nvidia.com>
|
||||
---
|
||||
stb_image.h | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/stb_image.h b/stb_image.h
|
||||
index d60371b95..ab616c56d 100644
|
||||
--- a/stb_image.h
|
||||
+++ b/stb_image.h
|
||||
@@ -4256,11 +4256,12 @@ static int stbi__parse_huffman_block(stbi__zbuf *a)
|
||||
a->zout = zout;
|
||||
return 1;
|
||||
}
|
||||
+ if (z >= 286) return stbi__err("bad huffman code","Corrupt PNG"); // per DEFLATE, length codes 286 and 287 must not appear in compressed data
|
||||
z -= 257;
|
||||
len = stbi__zlength_base[z];
|
||||
if (stbi__zlength_extra[z]) len += stbi__zreceive(a, stbi__zlength_extra[z]);
|
||||
z = stbi__zhuffman_decode(a, &a->z_distance);
|
||||
- if (z < 0) return stbi__err("bad huffman code","Corrupt PNG");
|
||||
+ if (z < 0 || z >= 30) return stbi__err("bad huffman code","Corrupt PNG"); // per DEFLATE, distance codes 30 and 31 must not appear in compressed data
|
||||
dist = stbi__zdist_base[z];
|
||||
if (stbi__zdist_extra[z]) dist += stbi__zreceive(a, stbi__zdist_extra[z]);
|
||||
if (zout - a->zout_start < dist) return stbi__err("bad dist","Corrupt PNG");
|
||||
Loading…
Reference in new issue