--- libpng-1.6.15/png.c 2014-11-20 09:33:24.002942704 -0600 +++ libpng-1.6.16/png.c 2014-12-21 21:08:07.398674453 -0600 @@ -2456,16 +2456,27 @@ png_colorspace_set_rgb_coefficients(png_ else png_error(png_ptr, "internal error handling cHRM->XYZ"); } } #endif #endif /* COLORSPACE */ +#ifdef __GNUC__ +/* This exists solely to work round a warning from GNU C. */ +static int /* PRIVATE */ +png_gt(size_t a, size_t b) +{ + return a > b; +} +#else +# define png_gt(a,b) ((a) > (b)) +#endif + void /* PRIVATE */ png_check_IHDR(png_const_structrp png_ptr, png_uint_32 width, png_uint_32 height, int bit_depth, int color_type, int interlace_type, int compression_type, int filter_type) { int error = 0; @@ -2475,16 +2486,38 @@ png_check_IHDR(png_const_structrp png_pt png_warning(png_ptr, "Image width is zero in IHDR"); error = 1; } else if (width > PNG_UINT_31_MAX) { png_warning(png_ptr, "Invalid image width in IHDR"); error = 1; } + + else if (png_gt(width, + (PNG_SIZE_MAX >> 3) /* 8-byte RGBA pixels */ + - 48 /* big_row_buf hack */ + - 1 /* filter byte */ + - 7*8 /* rounding width to multiple of 8 pix */ + - 8)) /* extra max_pixel_depth pad */ + { + /* The size of the row must be within the limits of this architecture. + * Because the read code can perform arbitrary transformations the + * maximum size is checked here. Because the code in png_read_start_row + * adds extra space "for safety's sake" in several places a conservative + * limit is used here. + * + * NOTE: it would be far better to check the size that is actually used, + * but the effect in the real world is minor and the changes are more + * extensive, therefore much more dangerous and much more difficult to + * write in a way that avoids compiler warnings. + */ + png_warning(png_ptr, "Image width is too large for this architecture"); + error = 1; + } else { # ifdef PNG_SET_USER_LIMITS_SUPPORTED if (width > png_ptr->user_width_max) # else if (width > PNG_USER_WIDTH_MAX) # endif {