upng: check ims limitsupstream-main

author: iwashiira <89283357+iwashiira@users.noreply.github.com> 2024-05-09 14:43:07 +0100
committer: Andy Green <andy@warmcat.com> 2024-05-09 14:43:33 +0100
commit: 72187434722a401c59799e311f52a0e232334e38 (patch)
tree: aafbcd1c54268bdcf7ac12ffd361fc7e89f89088
parent: 9ba1504d01243b2076d8a085196f1b3cd73e365c (diff)
download: libwebsockets-upstream-main.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/lib/misc/upng.c b/lib/misc/upng.c
index d89786d0..d62aee1c 100644
--- a/lib/misc/upng.c
+++ b/lib/misc/upng.c
@@ -484,6 +484,12 @@ lws_upng_decode(lws_upng_t* u, const uint8_t **_pos, size_t *_size)
 			if (!u->inf.out) {
 				size_t ims = (u->u.bypl * 2) + u->inf.info_size;
 
+				if (u->inf.info_size > ims) {
+					lwsl_err("%s: integer overflow occur in ims %llu",
+						 __func__, (unsigned long long)ims);
+					return LWS_SRET_FATAL + 27;
+				}
+
 				if (u->hold_at_metadata)
 					return LWS_SRET_AWAIT_RETRY;
author	iwashiira <89283357+iwashiira@users.noreply.github.com>	2024-05-09 14:43:07 +0100
committer	Andy Green <andy@warmcat.com>	2024-05-09 14:43:33 +0100
commit	72187434722a401c59799e311f52a0e232334e38 (patch)
tree	aafbcd1c54268bdcf7ac12ffd361fc7e89f89088
parent	9ba1504d01243b2076d8a085196f1b3cd73e365c (diff)
download	libwebsockets-upstream-main.tar.gz