commit 61a2d8a2a7b03023e63eae9a3e64607aaaa6d339
author Glenn Randers-Pehrson <glennrp at users.sourceforge.net> Sat Jun 18 14:51:09 2011 -0500
committer Glenn Randers-Pehrson <glennrp at users.sourceforge.net> Sat Jun 18 14:51:09 2011 -0500
tree 6dffb519c4cf9eeb77a60abb4fab3eddcae1fbb6
parent af9654368889736b82343c04516a2deddb35da0e

[master] Check for sCAL chunk too short.

ANNOUNCE

diff --git a/ANNOUNCE b/ANNOUNCE
index 72860ed..bd4697d 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -49,7 +49,8 @@
     Frank Busse, related to CVE-2004-0421).
 
 version 1.4.8beta05 [June 18, 2011]
-  Fixed error in "ACCURATE" 16-to-8 scaling.
+  Fixed error in "ACCURATE" 16-to-8 scaling (John Bowler).
+  Check for sCAL chunk too short.
 
 Send comments/corrections/commendations to glennrp at users.sourceforge.net
 or to png-mng-implement at lists.sf.net (subscription required; visit

CHANGES

diff --git a/CHANGES b/CHANGES
index b180e60..c2e1261 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2817,7 +2817,8 @@
     Frank Busse, related to CVE-2004-0421).
 
 version 1.4.8beta05 [June 18, 2011]
-  Fixed error in "ACCURATE" 16-to-8 scaling.
+  Fixed error in "ACCURATE" 16-to-8 scaling (John Bowler).
+  Check for sCAL chunk too short.
 
 Send comments/corrections/commendations to glennrp at users.sourceforge.net
 or to png-mng-implement at lists.sf.net (subscription required; visit

pngrutil.c

diff --git a/pngrutil.c b/pngrutil.c
index 113589c..116f5de 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -1861,6 +1861,14 @@
       return;
    }
 
+   /* Need unit type, width, \0, height: minimum 4 bytes */
+   else if (length < 4)
+   {
+      png_warning(png_ptr, "sCAL chunk too short");
+      png_crc_finish(png_ptr, length);
+      return;
+   }
+
    png_debug1(2, "Allocating and reading sCAL chunk data (%lu bytes)",
       (unsigned long)(length + 1));
    png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);