Avoid a harmless potential integer overflow in png_XYZ_from_xy().
This change replicates commit d46b57 applied to the libpng16
codebase.
Bug: 21039636
Change-Id: I1333196b8673aac6552cd438fd580dbd1d60ef11
diff --git a/png.c b/png.c
index 087a278..59e991b 100644
--- a/png.c
+++ b/png.c
@@ -1235,16 +1235,17 @@
/* Check xy and, implicitly, z. Note that wide gamut color spaces typically
* have end points with 0 tristimulus values (these are impossible end
- * points, but they are used to cover the possible colors.)
+ * points, but they are used to cover the possible colors). We check
+ * xy->whitey against 5, not 0, to avoid a possible integer overflow.
*/
- if (xy->redx < 0 || xy->redx > PNG_FP_1) return 1;
- if (xy->redy < 0 || xy->redy > PNG_FP_1-xy->redx) return 1;
+ if (xy->redx < 0 || xy->redx > PNG_FP_1) return 1;
+ if (xy->redy < 0 || xy->redy > PNG_FP_1-xy->redx) return 1;
if (xy->greenx < 0 || xy->greenx > PNG_FP_1) return 1;
if (xy->greeny < 0 || xy->greeny > PNG_FP_1-xy->greenx) return 1;
- if (xy->bluex < 0 || xy->bluex > PNG_FP_1) return 1;
- if (xy->bluey < 0 || xy->bluey > PNG_FP_1-xy->bluex) return 1;
+ if (xy->bluex < 0 || xy->bluex > PNG_FP_1) return 1;
+ if (xy->bluey < 0 || xy->bluey > PNG_FP_1-xy->bluex) return 1;
if (xy->whitex < 0 || xy->whitex > PNG_FP_1) return 1;
- if (xy->whitey < 0 || xy->whitey > PNG_FP_1-xy->whitex) return 1;
+ if (xy->whitey < 5 || xy->whitey > PNG_FP_1-xy->whitex) return 1;
/* The reverse calculation is more difficult because the original tristimulus
* value had 9 independent values (red,green,blue)x(X,Y,Z) however only 8