Bug 705883: Fix overflows in PNG dimension expressions.

MuPDF accidentally truncated the image size when allocating, but
not when processing the image samples, leading to out of bounds
accesses.

diff --git a/source/fitz/load-png.c b/source/fitz/load-png.c
index 7c7ee1dae4758dcd0489d671703d1bec629b0452..836804f5db4a5c4d37dfcb697a66db71699237e2 100644 (file)
--- a/source/fitz/load-png.c
+++ b/source/fitz/load-png.c
@@ -33,7 +33,7 @@ struct info
        unsigned int width, height, depth, n;
        enum fz_colorspace_type type;
        int interlace, indexed;
-       unsigned int size;
+       size_t size;
        unsigned char *samples;
        unsigned char palette[256*4];
        int transparency;
@@ -465,7 +465,7 @@ png_read_image(fz_context *ctx, struct info *info, const unsigned char *p, size_
        {
                if (!info->interlace)
                {
-                       info->size = info->height * (1 + (info->width * info->n * info->depth + 7) / 8);
+                       info->size = info->height * (1 + ((size_t) info->width * info->n * info->depth + 7) / 8);
                }
                else
                {
@@ -636,7 +636,7 @@ fz_load_png(fz_context *ctx, const unsigned char *p, size_t total)
 {
        fz_pixmap *image = NULL;
        struct info png;
-       int stride;
+       size_t stride;
        int alpha;
 
        fz_var(image);
@@ -645,7 +645,7 @@ fz_load_png(fz_context *ctx, const unsigned char *p, size_t total)
        {
                png_read_image(ctx, &png, p, total, 0);
 
-               stride = (png.width * png.n * png.depth + 7) / 8;
+               stride = ((size_t) png.width * png.n * png.depth + 7) / 8;
                alpha = (png.n == 2 || png.n == 4 || png.transparency);
 
                if (png.indexed)