From ba274d5b98d1582bba47a1591c9e02b1ff421352 Mon Sep 17 00:00:00 2001
From: Lode <lvandeve@gmail.com>
Date: Tue, 18 Nov 2014 23:37:42 +0100
Subject: protect against invalid chunk lengths in some tools

---
 lodepng_util.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'lodepng_util.cpp')

diff --git a/lodepng_util.cpp b/lodepng_util.cpp
index 3784b6e..ed054f0 100644
--- a/lodepng_util.cpp
+++ b/lodepng_util.cpp
@@ -51,8 +51,10 @@ unsigned getChunkInfo(std::vector<std::string>& names, std::vector<size_t>& size
     lodepng_chunk_type(type, chunk);
     if(std::string(type).size() != 4) return 1;
 
+    unsigned length = lodepng_chunk_length(chunk);
+    if(chunk + length >= end) return 1;
     names.push_back(type);
-    sizes.push_back(lodepng_chunk_length(chunk));
+    sizes.push_back(length);
 
     chunk = lodepng_chunk_next_const(chunk);
   }
@@ -180,6 +182,7 @@ unsigned getFilterTypesInterlaced(std::vector<std::vector<unsigned char> >& filt
     {
       const unsigned char* cdata = lodepng_chunk_data_const(chunk);
       unsigned clength = lodepng_chunk_length(chunk);
+      if(chunk + clength >= end) return 1; // corrupt chunk length
 
       for(unsigned i = 0; i < clength; i++)
       {
-- 
cgit v1.2.3


From fe4e8b3693d489bf4b7d2711893075afd047a607 Mon Sep 17 00:00:00 2001
From: Lode <lvandeve@gmail.com>
Date: Fri, 21 Nov 2014 01:52:20 +0100
Subject: fix examples

---
 lodepng_util.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'lodepng_util.cpp')

diff --git a/lodepng_util.cpp b/lodepng_util.cpp
index ed054f0..37a6e73 100644
--- a/lodepng_util.cpp
+++ b/lodepng_util.cpp
@@ -52,7 +52,7 @@ unsigned getChunkInfo(std::vector<std::string>& names, std::vector<size_t>& size
     if(std::string(type).size() != 4) return 1;
 
     unsigned length = lodepng_chunk_length(chunk);
-    if(chunk + length >= end) return 1;
+    if(chunk + length + 12 > end) return 1;
     names.push_back(type);
     sizes.push_back(length);
 
@@ -182,7 +182,7 @@ unsigned getFilterTypesInterlaced(std::vector<std::vector<unsigned char> >& filt
     {
       const unsigned char* cdata = lodepng_chunk_data_const(chunk);
       unsigned clength = lodepng_chunk_length(chunk);
-      if(chunk + clength >= end) return 1; // corrupt chunk length
+      if(chunk + clength + 12 > end) return 1; // corrupt chunk length
 
       for(unsigned i = 0; i < clength; i++)
       {
-- 
cgit v1.2.3