commit 66dce0da6a5db51ee0c2875517d3a6ca6cbbe53d
author Eric Vannier <evannier@google.com> Wed Jul 20 17:03:29 2011 -0700
committer Kenny Root <kroot@google.com> Thu Jul 21 10:35:54 2011 -0700
tree 7a375165c96b754d82ba1b6c304084645a5197bf
parent 6acf3dd4a350c51fd2b72ec990b7da6d5657e52a

Upgrading libpng to 1.2.46 to fix a few vulnerabilities.

Bug: 5057432
Bug: 5055636
Change-Id: I9e1b51881386aa9f574a38abc844e036baef9091

pngrutil.c

diff --git a/pngrutil.c b/pngrutil.c
index 7796887..dfa2c03 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -1,8 +1,8 @@
 
 /* pngrutil.c - utilities to read a PNG file
  *
- * Last changed in libpng 1.2.44 [June 26, 2010]
- * Copyright (c) 1998-2010 Glenn Randers-Pehrson
+ * Last changed in libpng 1.2.45 [July 7, 2011]
+ * Copyright (c) 1998-2011 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
@@ -1829,6 +1829,14 @@
       return;
    }
 
+   /* Need unit type, width, \0, height: minimum 4 bytes */
+   else if (length < 4)
+   {
+      png_warning(png_ptr, "sCAL chunk too short");
+      png_crc_finish(png_ptr, length);
+      return;
+   }
+
    png_debug1(2, "Allocating and reading sCAL chunk data (%lu bytes)",
       length + 1);
    png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);