[vlc-devel] [PATCH] png: Check length before read

Mon Oct 15 00:17:38 CEST 2012

---
 Fixes this problem http://www.exploit-db.com/exploits/21889/

 modules/codec/png.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/modules/codec/png.c b/modules/codec/png.c
index acd5694..cf193dd 100644
--- a/modules/codec/png.c
+++ b/modules/codec/png.c
@@ -92,6 +92,10 @@ static void user_read( png_structp p_png, png_bytep data, png_size_t i_length )
 {
     block_t *p_block = (block_t *)png_get_io_ptr( p_png );
     png_size_t i_read = __MIN( p_block->i_buffer, i_length );
+    if( i_length > p_block->i_buffer ) {
+        png_error( p_png, "requested length greater than what remains in buffer, aborting!" );
+        return;
+    }
     memcpy( data, p_block->p_buffer, i_length );
     p_block->p_buffer += i_length;
     p_block->i_buffer -= i_length;
-- 
1.7.5.4


