[legacy] Check for integer overflow in png_set_rgb_to_gray().
diff --git a/ANNOUNCE b/ANNOUNCE
index fb36db7..df125bf 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -113,6 +113,9 @@
Ported bugfix in pngrtran.c from 1.5.3: when expanding a paletted image,
always expand to RGBA if transparency is present.
+version 1.2.45beta02 [June 7, 2011]
+ Check for integer overflow in png_set_rgb_to_gray().
+
(subscription required; visit
https://lists.sourceforge.net/lists/listinfo/png-mng-implement
to subscribe) or to glennrp at users.sourceforge.net
diff --git a/CHANGES b/CHANGES
index 00ec950..738365f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2714,6 +2714,9 @@
Ported bugfix in pngrtran.c from 1.5.3: when expanding a paletted image,
always expand to RGBA if transparency is present.
+version 1.2.45beta02 [June 7, 2011]
+ Check for integer overflow in png_set_rgb_to_gray().
+
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
https://lists.sourceforge.net/lists/listinfo/png-mng-implement
diff --git a/pngrtran.c b/pngrtran.c
index ca05fe9..3e2413d 100644
--- a/pngrtran.c
+++ b/pngrtran.c
@@ -676,10 +676,21 @@
png_set_rgb_to_gray(png_structp png_ptr, int error_action, double red,
double green)
{
- int red_fixed = (int)((float)red*100000.0 + 0.5);
- int green_fixed = (int)((float)green*100000.0 + 0.5);
+ int red_fixed, green_fixed;
if (png_ptr == NULL)
return;
+ if (red > 21474.83647 || red < -21474.83648 ||
+ green > 21474.83647 || green < -21474.83648)
+ {
+ png_warning(png_ptr, "ignoring out of range rgb_to_gray coefficients");
+ red_fixed = -1;
+ green_fixed = -1;
+ }
+ else
+ {
+ red_fixed = (int)((float)red*100000.0 + 0.5);
+ green_fixed = (int)((float)green*100000.0 + 0.5);
+ }
png_set_rgb_to_gray_fixed(png_ptr, error_action, red_fixed, green_fixed);
}
#endif