stb_image: More input validation in deflate decoder

Fixes issue #312.
This commit is contained in:
Fabian Giesen 2016-08-12 13:44:11 -07:00
parent 2f4166e91d
commit 8c8d735eb7
1 changed files with 17 additions and 14 deletions

View File

@ -3721,6 +3721,7 @@ static int stbi__compute_huffman_codes(stbi__zbuf *a)
int hlit = stbi__zreceive(a,5) + 257;
int hdist = stbi__zreceive(a,5) + 1;
int hclen = stbi__zreceive(a,4) + 4;
int ntot = hlit + hdist;
memset(codelength_sizes, 0, sizeof(codelength_sizes));
for (i=0; i < hclen; ++i) {
@ -3730,27 +3731,29 @@ static int stbi__compute_huffman_codes(stbi__zbuf *a)
if (!stbi__zbuild_huffman(&z_codelength, codelength_sizes, 19)) return 0;
n = 0;
while (n < hlit + hdist) {
while (n < ntot) {
int c = stbi__zhuffman_decode(a, &z_codelength);
if (c < 0 || c >= 19) return stbi__err("bad codelengths", "Corrupt PNG");
if (c < 16)
lencodes[n++] = (stbi_uc) c;
else if (c == 16) {
c = stbi__zreceive(a,2)+3;
memset(lencodes+n, lencodes[n-1], c);
n += c;
} else if (c == 17) {
c = stbi__zreceive(a,3)+3;
memset(lencodes+n, 0, c);
n += c;
} else {
STBI_ASSERT(c == 18);
c = stbi__zreceive(a,7)+11;
memset(lencodes+n, 0, c);
else {
stbi_uc fill = 0;
if (c == 16) {
c = stbi__zreceive(a,2)+3;
if (n == 0) return stbi__err("bad codelengths", "Corrupt PNG");
fill = lencodes[n-1];
} else if (c == 17)
c = stbi__zreceive(a,3)+3;
else {
STBI_ASSERT(c == 18);
c = stbi__zreceive(a,7)+11;
}
if (ntot - n < c) return stbi__err("bad codelengths", "Corrupt PNG");
memset(lencodes+n, fill, c);
n += c;
}
}
if (n != hlit+hdist) return stbi__err("bad codelengths","Corrupt PNG");
if (n != ntot) return stbi__err("bad codelengths","Corrupt PNG");
if (!stbi__zbuild_huffman(&a->z_length, lencodes, hlit)) return 0;
if (!stbi__zbuild_huffman(&a->z_distance, lencodes+hlit, hdist)) return 0;
return 1;