Merge "DO NOT MERGE Fix for CVE-2011-3045" into ics-mr1
diff --git a/pngrutil.c b/pngrutil.c
index 47c781c..31c9b01 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -380,8 +380,14 @@
{
/* Success (maybe) - really uncompress the chunk. */
png_size_t new_size = 0;
- png_charp text = png_malloc_warn(png_ptr,
- prefix_size + expanded_size + 1);
+ png_charp text = NULL;
+
+ /* Need to check for both truncation (64-bit) and integer overflow. */
+ if (prefix_size + expanded_size > prefix_size &&
+ prefix_size + expanded_size < 0xffffffffU)
+ {
+ text = png_malloc_warn(png_ptr, prefix_size + expanded_size + 1);
+ }
if (text != NULL)
{