File optipng-CVE-2016-2191.patch of Package optipng
Index: src/pngxtern/pngxrbmp.c
===================================================================
--- src/pngxtern/pngxrbmp.c.orig 2014-02-23 17:37:00.000000000 +0100
+++ src/pngxtern/pngxrbmp.c 2016-04-05 10:56:04.803623081 +0200
@@ -152,10 +152,13 @@
size_t result;
int ch;
+ if (len == 0)
+ return 0;
+
ptr += offset / 2;
if (offset & 1) /* use half-byte operations at odd offset */
{
- for (result = 0; result < len; result += 2)
+ for (result = 0; result < len - 1; result += 2)
{
ch = getc(stream);
if (ch == EOF)
@@ -269,8 +272,7 @@
bmp_memset_fn = bmp_rle4_memset;
bmp_fread_fn = bmp_rle4_fread;
}
- crt_row = begin_row;
- for ( ; ; )
+ for (crt_row = begin_row; crt_row != end_row; )
{
ch = getc(stream); b1 = (unsigned int)ch;
ch = getc(stream); b2 = (unsigned int)ch;
@@ -300,6 +302,7 @@
{
bmp_memset_fn(*crt_row, crtn, 0, endn - crtn);
crt_row += inc;
+ crtn = 0;
result = (begin_row <= end_row) ?
(end_row - begin_row) : (begin_row - end_row);
break; /* the rest is wiped out at the end */
@@ -311,16 +314,17 @@
if (ch == EOF)
break;
dcrtn = (b1 < endn - crtn) ? (crtn + b1) : endn;
- if (b2 > (size_t)((end_row - crt_row) * inc))
- b2 = (unsigned int)((end_row - crt_row) * inc);
for ( ; b2 > 0; --b2)
{
bmp_memset_fn(*crt_row, crtn, 0, endn - crtn);
crt_row += inc;
crtn = 0;
++result;
+ if (crt_row == end_row)
+ break;
}
- bmp_memset_fn(*crt_row, crtn, 0, dcrtn - crtn);
+ if (crt_row != end_row)
+ bmp_memset_fn(*crt_row, crtn, 0, dcrtn - crtn);
}
else /* b2 >= 3 bytes in absolute mode */
{
