Security fix for overflow check.

am: ebb6f04c88 Change-Id: Iadd83a509dd483e873f395d13fe0510d8e7a24ec
author: Winson Chung <winsonc@google.com> 2017-02-15 20:09:27 +0000
committer: android-build-merger <android-build-merger@google.com> 2017-02-15 20:09:27 +0000
commit: d44ed48f0ccd3b327f282809e7b7ba82a24993ab (patch)
tree: 87d2a0b919a243e55e42e35673a8f370c750ae25
parent: a9b9a33d76e120a36d0269cc23a86973d0815137 (diff)
parent: ebb6f04c8857930bd767dc7806f9c5c7a2dc910f (diff)
download: libgdx-d44ed48f0ccd3b327f282809e7b7ba82a24993ab.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/gdx/jni/gdx2d/stb_image.h b/gdx/jni/gdx2d/stb_image.h
index cf9ab59c2..d91b308af 100644
--- a/gdx/jni/gdx2d/stb_image.h
+++ b/gdx/jni/gdx2d/stb_image.h
@@ -4460,7 +4460,7 @@ static int stbi__parse_png_file(stbi__png *z, int scan, int req_comp)
                 return stbi__err("Bad x","Bad x");
             // initial guess for decoded data size to avoid unnecessary reallocs
             bpl = (s->img_x * depth + 7) / 8; // bytes per line, per component
-            if (bpl > (INT_MAX - s->img_y) / bpl / s->img_y)
+            if (bpl > (INT_MAX - s->img_y) / s->img_n / s->img_y)
                 return stbi__err("Integer Overflow","y incorrect");
             raw_len = bpl * s->img_y * s->img_n /* pixels */ + s->img_y /* filter mode per row */;
             z->expanded = (stbi_uc *) stbi_zlib_decode_malloc_guesssize_headerflag((char *) z->idata, ioff, raw_len, (int *) &raw_len, !is_iphone);
author	Winson Chung <winsonc@google.com>	2017-02-15 20:09:27 +0000
committer	android-build-merger <android-build-merger@google.com>	2017-02-15 20:09:27 +0000
commit	d44ed48f0ccd3b327f282809e7b7ba82a24993ab (patch)
tree	87d2a0b919a243e55e42e35673a8f370c750ae25
parent	a9b9a33d76e120a36d0269cc23a86973d0815137 (diff)
parent	ebb6f04c8857930bd767dc7806f9c5c7a2dc910f (diff)
download	libgdx-d44ed48f0ccd3b327f282809e7b7ba82a24993ab.tar.gz