diff options
author | Winson Chung <winsonc@google.com> | 2017-02-15 20:09:27 +0000 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2017-02-15 20:09:27 +0000 |
commit | d44ed48f0ccd3b327f282809e7b7ba82a24993ab (patch) | |
tree | 87d2a0b919a243e55e42e35673a8f370c750ae25 | |
parent | a9b9a33d76e120a36d0269cc23a86973d0815137 (diff) | |
parent | ebb6f04c8857930bd767dc7806f9c5c7a2dc910f (diff) | |
download | libgdx-d44ed48f0ccd3b327f282809e7b7ba82a24993ab.tar.gz |
Security fix for overflow check.
am: ebb6f04c88
Change-Id: Iadd83a509dd483e873f395d13fe0510d8e7a24ec
-rw-r--r-- | gdx/jni/gdx2d/stb_image.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/gdx/jni/gdx2d/stb_image.h b/gdx/jni/gdx2d/stb_image.h index cf9ab59c2..d91b308af 100644 --- a/gdx/jni/gdx2d/stb_image.h +++ b/gdx/jni/gdx2d/stb_image.h @@ -4460,7 +4460,7 @@ static int stbi__parse_png_file(stbi__png *z, int scan, int req_comp) return stbi__err("Bad x","Bad x"); // initial guess for decoded data size to avoid unnecessary reallocs bpl = (s->img_x * depth + 7) / 8; // bytes per line, per component - if (bpl > (INT_MAX - s->img_y) / bpl / s->img_y) + if (bpl > (INT_MAX - s->img_y) / s->img_n / s->img_y) return stbi__err("Integer Overflow","y incorrect"); raw_len = bpl * s->img_y * s->img_n /* pixels */ + s->img_y /* filter mode per row */; z->expanded = (stbi_uc *) stbi_zlib_decode_malloc_guesssize_headerflag((char *) z->idata, ioff, raw_len, (int *) &raw_len, !is_iphone); |