From 4a94e62a299e17777d720eca4c2266b4b26122b1 Mon Sep 17 00:00:00 2001
From: Arne Goedeke <el@laramies.com>
Date: Sat, 26 Apr 2014 00:07:21 +0200
Subject: [PATCH] Image.PNG: check sBIT chunk length

---
 src/modules/Image/encodings/png.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/modules/Image/encodings/png.c b/src/modules/Image/encodings/png.c
index 03c8b675d8..509fbb4d93 100644
--- a/src/modules/Image/encodings/png.c
+++ b/src/modules/Image/encodings/png.c
@@ -1311,11 +1311,14 @@ static void img_png_decode(INT32 args, int mode)
 
           case 0x73424954: /* sBIT */
 	  {
-	    int i;
+            struct pike_string * s = b->item[1].u.string;
+	    ptrdiff_t i;
             if(mode==MODE_IMAGE_ONLY) break;
-	    for(i=0; i<b->item[1].u.string->len; i++)
-	      push_int(b->item[1].u.string->str[i]);
-	    f_aggregate(b->item[1].u.string->len);
+            /* sBIT chunks are not longer than 4 bytes */
+            if (s->len > 4) break;
+	    for(i=0; i<s->len; i++)
+	      push_int(s->str[i]);
+	    f_aggregate(s->len);
 	    push_constant_text("sbit");
 	    mapping_insert(m,sp-1,sp-2);
 	    pop_n_elems(2);
-- 
GitLab