diff options
author | Winson Chung <winsonc@google.com> | 2017-02-15 20:12:56 +0000 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2017-02-15 20:12:56 +0000 |
commit | 948dd5fa710343070ba21fa1c011df653ab23a8c (patch) | |
tree | 87d2a0b919a243e55e42e35673a8f370c750ae25 | |
parent | de827770b89db5495016565e99c45c907099cf67 (diff) | |
parent | d44ed48f0ccd3b327f282809e7b7ba82a24993ab (diff) | |
download | libgdx-948dd5fa710343070ba21fa1c011df653ab23a8c.tar.gz |
Security fix for overflow check. am: ebb6f04c88
am: d44ed48f0c
Change-Id: Ife90186572843028c9f7974c6d0faa7e798c1208
-rw-r--r-- | gdx/jni/gdx2d/stb_image.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/gdx/jni/gdx2d/stb_image.h b/gdx/jni/gdx2d/stb_image.h index cf9ab59c2..d91b308af 100644 --- a/gdx/jni/gdx2d/stb_image.h +++ b/gdx/jni/gdx2d/stb_image.h @@ -4460,7 +4460,7 @@ static int stbi__parse_png_file(stbi__png *z, int scan, int req_comp) return stbi__err("Bad x","Bad x"); // initial guess for decoded data size to avoid unnecessary reallocs bpl = (s->img_x * depth + 7) / 8; // bytes per line, per component - if (bpl > (INT_MAX - s->img_y) / bpl / s->img_y) + if (bpl > (INT_MAX - s->img_y) / s->img_n / s->img_y) return stbi__err("Integer Overflow","y incorrect"); raw_len = bpl * s->img_y * s->img_n /* pixels */ + s->img_y /* filter mode per row */; z->expanded = (stbi_uc *) stbi_zlib_decode_malloc_guesssize_headerflag((char *) z->idata, ioff, raw_len, (int *) &raw_len, !is_iphone); |