X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;f=contrib%2Fgregbook%2Freadppm.c;h=52e7027771325025942f43e9172759cd499f0fb2;hb=3b3d911f071ddadabc6ba5ba1f6e62ff52c90524;hp=7fefc3943ec47a1df394efbc1c1e631dba8e8934;hpb=7b7ccdda02217a442f273ef9684706ecdef2acc5;p=platform%2Fupstream%2Flibpng.git

diff --git a/contrib/gregbook/readppm.c b/contrib/gregbook/readppm.c
index 7fefc39..52e7027 100644
--- a/contrib/gregbook/readppm.c
+++ b/contrib/gregbook/readppm.c
@@ -9,7 +9,7 @@
 
   ---------------------------------------------------------------------------
 
-      Copyright (c) 1998-2007 Greg Roelofs.  All rights reserved.
+      Copyright (c) 1998-2007,2017 Greg Roelofs.  All rights reserved.
 
       This software is provided "as is," without warranty of any kind,
       express or implied.  In no event shall the author or contributors
@@ -154,12 +154,17 @@ uch *readpng_get_image(double display_exponent, int *pChannels, ulg *pRowbytes)
     *pRowbytes = rowbytes = channels*width;
     *pChannels = channels;
 
-    if ((image_data = (uch *)malloc(rowbytes*height)) == NULL) {
+    Trace((stderr, "readpng_get_image:  rowbytes = %ld, height = %ld\n", rowbytes, height));
+
+    /* Guard against integer overflow */
+    if (height > ((size_t)(-1))/rowbytes) {
+        fprintf(stderr, PROGNAME ":  image_data buffer would be too large\n",
         return NULL;
     }
 
-    Trace((stderr, "readpng_get_image:  rowbytes = %ld, height = %ld\n", rowbytes, height));
-
+    if ((image_data = (uch *)malloc(rowbytes*height)) == NULL) {
+        return NULL;
+    }
 
     /* now we can go ahead and just read the whole image */