[master] Check for sCAL chunk too short.
diff --git a/ANNOUNCE b/ANNOUNCE
index 72860ed..bd4697d 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -49,7 +49,8 @@
Frank Busse, related to CVE-2004-0421).
version 1.4.8beta05 [June 18, 2011]
- Fixed error in "ACCURATE" 16-to-8 scaling.
+ Fixed error in "ACCURATE" 16-to-8 scaling (John Bowler).
+ Check for sCAL chunk too short.
Send comments/corrections/commendations to glennrp at users.sourceforge.net
or to png-mng-implement at lists.sf.net (subscription required; visit
diff --git a/CHANGES b/CHANGES
index b180e60..c2e1261 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2817,7 +2817,8 @@
Frank Busse, related to CVE-2004-0421).
version 1.4.8beta05 [June 18, 2011]
- Fixed error in "ACCURATE" 16-to-8 scaling.
+ Fixed error in "ACCURATE" 16-to-8 scaling (John Bowler).
+ Check for sCAL chunk too short.
Send comments/corrections/commendations to glennrp at users.sourceforge.net
or to png-mng-implement at lists.sf.net (subscription required; visit
diff --git a/pngrutil.c b/pngrutil.c
index 113589c..116f5de 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -1861,6 +1861,14 @@
return;
}
+ /* Need unit type, width, \0, height: minimum 4 bytes */
+ else if (length < 4)
+ {
+ png_warning(png_ptr, "sCAL chunk too short");
+ png_crc_finish(png_ptr, length);
+ return;
+ }
+
png_debug1(2, "Allocating and reading sCAL chunk data (%lu bytes)",
(unsigned long)(length + 1));
png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);