APNG decoder does not detect width+offset too large

RESOLVED FIXED

Status

()

Core
ImageLib
RESOLVED FIXED
10 years ago
9 years ago

People

(Reporter: Glenn Randers-Pehrson, Assigned: Glenn Randers-Pehrson)

Tracking

(Blocks: 1 bug)

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

(Assignee)

Description

10 years ago
Created attachment 276891 [details] [diff] [review]
Make subimage dimensions test as stringent as the APNG spec (checked in)

The APNG specification (see URL above) requires

   `x_offset` + `width`  <= `IHDR` width
   `y_offset` + `height` <= `IHDR` height

But the test in png_ensure_fcTL_is_valid() in pngset.c only tests the size of `width` and `height` and not their sums with  the offsets.

Comment 1

10 years ago
Comment on attachment 276891 [details] [diff] [review]
Make subimage dimensions test as stringent as the APNG spec (checked in)

It's a good fix.
Attachment #276891 - Flags: superreview?(pavlov)
Attachment #276891 - Flags: review+
Attachment #276891 - Flags: approval1.9?

Updated

10 years ago
Attachment #276891 - Flags: superreview?(pavlov)
Attachment #276891 - Flags: superreview+
Attachment #276891 - Flags: approval1.9?
Attachment #276891 - Flags: approval1.9+

Updated

10 years ago
Keywords: checkin-needed
Assignee: nobody → glennrp
(Assignee)

Updated

10 years ago
Status: NEW → ASSIGNED
modules/libimg/png/pngset.c 3.15
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
(Assignee)

Updated

10 years ago
Attachment #276891 - Attachment description: Make subimage dimensions test as stringent as the APNG spec → Make subimage dimensions test as stringent as the APNG spec (checked in)
(Assignee)

Updated

9 years ago
Blocks: 495609
You need to log in before you can comment on or make changes to this bug.