← Back to branch summary

~ubuntu-branches/ubuntu/maverick/libpng/maverick-security

« back to all changes in this revision

Viewing changes to pngrtran.c

  • Committer: Bazaar Package Importer
  • Author(s): Marc Deslauriers
  • Date: 2011-07-26 08:31:17 UTC
  • Revision ID: james.westby@ubuntu.com-20110726083117-wb0parv74tzhf6j8
Tags: 1.2.44-1ubuntu0.1
* SECURITY UPDATE: denial of service via error message data
  - debian/patches/02-CVE-2011-2501.patch: correctly calculate length in
    pngerror.c.
  - CVE-2011-2501
* SECURITY UPDATE: denial of service and possible arbitrary code
  execution via crafted PNG image
  - debian/patches/03-CVE-2011-2690.patch: validate coefficients in
    pngrtran.c.
  - CVE-2011-2690
* SECURITY UPDATE: denial of service and possible arbitrary code
  execution via invalid sCAL chunks
  - debian/patches/04-CVE-2011-2692.patch: check sCAL chunk length in
    pngrutil.c.
  - CVE-2011-2692

Show diffs side-by-side

added added

removed removed

Lines of Context:
pngrtran.c
676
676
png_set_rgb_to_gray(png_structp png_ptr, int error_action, double red,
677
677
   double green)
678
678
{
679
 
   int red_fixed = (int)((float)red*100000.0 + 0.5);
680
 
   int green_fixed = (int)((float)green*100000.0 + 0.5);
 
679
   int red_fixed, green_fixed;
681
680
   if (png_ptr == NULL)
682
681
      return;
 
682
   if (red > 21474.83647 || red < -21474.83648 ||
 
683
       green > 21474.83647 || green < -21474.83648)
 
684
   {
 
685
      png_warning(png_ptr, "ignoring out of range rgb_to_gray coefficients");
 
686
      red_fixed = -1;
 
687
      green_fixed = -1;
 
688
   }
 
689
   else
 
690
   {
 
691
      red_fixed = (int)((float)red*100000.0 + 0.5);
 
692
      green_fixed = (int)((float)green*100000.0 + 0.5);
 
693
   }
683
694
   png_set_rgb_to_gray_fixed(png_ptr, error_action, red_fixed, green_fixed);
684
695
}
685
696
#endif