Fix buffer overflow security vulnerability (CVE-2014-9495)

Fixes the heap-based buffer overflow in the png_combine_row
function, when running on 64-bit systems. Might allow context-
dependent attackers to execute arbitrary code via a
"very wide interlaced" PNG image.

This is a cherry-pick of commit dc294204b641373bc6eb603075a8b98f51a75dd8
from upstream branch libpng16

bug: 19474828

Signed-off-by: Henrik Smiding <henrik.smiding@intel.com>

(cherry picked from commit 3ae1ad1c8460c90ae2d2028edde0c4d92316e71d)

Change-Id: Ia8dae5e5d0b8b8840c8871de99f35e03f6fbcc39

1 files changed, 3 insertions, 3 deletions

diff --git a/pngrutil.c b/pngrutil.c
index 9638bedd1..381d83076 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -3028,7 +3028,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
 {
    unsigned int pixel_depth = png_ptr->transformed_pixel_depth;
    png_const_bytep sp = png_ptr->row_buf + 1;
-   png_uint_32 row_width = png_ptr->width;
+   png_alloc_size_t row_width = png_ptr->width;
    unsigned int pass = png_ptr->pass;
    png_bytep end_ptr = 0;
    png_byte end_byte = 0;
@@ -3301,7 +3301,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
 
             /* But don't allow this number to exceed the actual row width. */
             if (bytes_to_copy > row_width)
-               bytes_to_copy = row_width;
+               bytes_to_copy = (unsigned int)/*SAFE*/row_width;
          }
 
          else /* normal row; Adam7 only ever gives us one pixel to copy. */
@@ -3481,7 +3481,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
                   dp += bytes_to_jump;
                   row_width -= bytes_to_jump;
                   if (bytes_to_copy > row_width)
-                     bytes_to_copy = row_width;
+                     bytes_to_copy = (unsigned int)/*SAFE*/row_width;
                }
          }