Sophie: libpng12-2:1.2.55-1.mga5 src

libpng12-1.2.55-1.mga5.src.rpm

http://sourceforge.net/p/libpng/code/ci/798d3de5f66b6df6d6605f968da641c24725b15e
http://sourceforge.net/p/libpng/code/ci/77a0a2ea113e699c7021caf1a530d2e2dd90b497
Index: pngset.c
===================================================================
--- pngset.c.orig	2014-04-24 14:13:43.144134631 +0200
+++ pngset.c	2014-04-24 14:23:31.461124549 +0200
@@ -664,6 +664,17 @@
    /* Make sure we have enough space in the "text" array in info_struct
     * to hold all of the incoming text_ptr objects.
     */
+
+   if (num_text < 0 ||
+       num_text > INT_MAX - info_ptr->num_text - 8 ||
+       (unsigned int)/*SAFE*/(num_text +/*SAFE*/
+       info_ptr->num_text + 8) >=
+       PNG_SIZE_MAX/png_sizeof(png_text))
+   {
+      png_warning(png_ptr, "too many text chunks");
+      return(0);
+   }
+
    if (info_ptr->num_text + num_text > info_ptr->max_text)
    {
       int old_max_text = info_ptr->max_text;
@@ -921,9 +932,19 @@
    if (png_ptr == NULL || info_ptr == NULL)
       return;
 
-   np = (png_sPLT_tp)png_malloc_warn(png_ptr,
-       (info_ptr->splt_palettes_num + nentries) *
-        (png_uint_32)png_sizeof(png_sPLT_t));
+   if (nentries < 0 ||
+       nentries > INT_MAX-info_ptr->splt_palettes_num ||
+       (unsigned int)/*SAFE*/(nentries +/*SAFE*/
+       info_ptr->splt_palettes_num) >=
+       PNG_SIZE_MAX/png_sizeof(png_sPLT_t))
+      np=NULL;
+
+   else
+
+      np = (png_sPLT_tp)png_malloc_warn(png_ptr,
+          (info_ptr->splt_palettes_num + nentries) *
+          (png_size_t)png_sizeof(png_sPLT_t));
+
    if (np == NULL)
    {
       png_warning(png_ptr, "No memory for sPLT palettes.");