Hi Ola,
> I have reviewed your code and it looks good to me. I do not know this
> library very well however so may have overlooked something. But the
> checks looks ok.
>
> What I'm not sure of is the break statement, but I guess you have
> control over that part.
Thanks for your review !
This code is executed in a big do-while structure, that's why we break
in case of errors (upstream did it at line 620 for example). The return
value res is initialized with value 1 (=error) at line 524 so we return
error. Error handling is then realised at line 1891.
> Have you tested that the solution work against some test image that
> breaked it in earlier version?
> Have you done any form of regression test?
I have tested with the original reproducer and crafted myself other
malicious apng files to trigger the case where (h > UINT_MAX/(4*(frames+1))) or
(w > UINT_MAX/(4*(frames+1))) which I forgot to handle at the beginning.
regression tests with two "normal" apng files, everything was working
fine.
If nobody is against it, I'd upload this patch now.
Cheers,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
Attachment:
signature.asc
Description: PGP signature