File optipng-CVE-2016-2191.patch of Package optipng

Overview Repositories Revisions Requests Users Attributes Meta

File optipng-CVE-2016-2191.patch of Package optipng

Index: src/pngxtern/pngxrbmp.c
===================================================================
--- src/pngxtern/pngxrbmp.c.orig	2014-02-23 17:37:00.000000000 +0100
+++ src/pngxtern/pngxrbmp.c	2016-04-05 10:56:04.803623081 +0200
@@ -152,10 +152,13 @@
    size_t result;
    int ch;
 
+   if (len == 0)
+     return 0;
+
    ptr += offset / 2;
    if (offset & 1)  /* use half-byte operations at odd offset */
    {
-      for (result = 0; result < len; result += 2)
+      for (result = 0; result < len - 1; result += 2)
       {
          ch = getc(stream);
          if (ch == EOF)
@@ -269,8 +272,7 @@
          bmp_memset_fn = bmp_rle4_memset;
          bmp_fread_fn = bmp_rle4_fread;
       }
-      crt_row = begin_row;
-      for ( ; ; )
+      for (crt_row = begin_row; crt_row != end_row; )
       {
          ch = getc(stream); b1 = (unsigned int)ch;
          ch = getc(stream); b2 = (unsigned int)ch;
@@ -300,6 +302,7 @@
             {
                bmp_memset_fn(*crt_row, crtn, 0, endn - crtn);
                crt_row += inc;
+               crtn = 0;
                result = (begin_row <= end_row) ?
                   (end_row - begin_row) : (begin_row - end_row);
                break;  /* the rest is wiped out at the end */
@@ -311,16 +314,17 @@
                if (ch == EOF)
                   break;
                dcrtn = (b1 < endn - crtn) ? (crtn + b1) : endn;
-               if (b2 > (size_t)((end_row - crt_row) * inc))
-                  b2 = (unsigned int)((end_row - crt_row) * inc);
                for ( ; b2 > 0; --b2)
                {
                   bmp_memset_fn(*crt_row, crtn, 0, endn - crtn);
                   crt_row += inc;
                   crtn = 0;
                   ++result;
+                  if (crt_row == end_row)
+                      break;
                }
-               bmp_memset_fn(*crt_row, crtn, 0, dcrtn - crtn);
+               if (crt_row != end_row)
+                  bmp_memset_fn(*crt_row, crtn, 0, dcrtn - crtn);
             }
             else  /* b2 >= 3 bytes in absolute mode */
             {

Places

File optipng-CVE-2016-2191.patch of Package optipng

Places