diff --git a/indra/llimage/llimagepng.cpp b/indra/llimage/llimagepng.cpp index 294f68b12..8ffd3c7f9 100644 --- a/indra/llimage/llimagepng.cpp +++ b/indra/llimage/llimagepng.cpp @@ -67,7 +67,7 @@ BOOL LLImagePNG::updateData() } LLPngWrapper::ImageInfo infop; - if (! pngWrapper.readPng(getData(), NULL, &infop)) + if (! pngWrapper.readPng(getData(), getDataSize(), &infop)) { setLastError(pngWrapper.getErrorMessage()); return FALSE; @@ -102,7 +102,7 @@ BOOL LLImagePNG::decode(LLImageRaw* raw_image, F32 decode_time) return FALSE; } - if (! pngWrapper.readPng(getData(), raw_image)) + if (! pngWrapper.readPng(getData(), getDataSize(), raw_image)) { setLastError(pngWrapper.getErrorMessage()); return FALSE; diff --git a/indra/llimage/llpngwrapper.cpp b/indra/llimage/llpngwrapper.cpp index d33aa94fd..c9d34f850 100644 --- a/indra/llimage/llpngwrapper.cpp +++ b/indra/llimage/llpngwrapper.cpp @@ -93,6 +93,12 @@ void LLPngWrapper::errorHandler(png_structp png_ptr, png_const_charp msg) void LLPngWrapper::readDataCallback(png_structp png_ptr, png_bytep dest, png_size_t length) { PngDataInfo *dataInfo = (PngDataInfo *) png_get_io_ptr(png_ptr); + if (dataInfo->mOffset + length > dataInfo->mDataSize) + { + png_error(png_ptr, "Data read error. Requested data size exceeds available data size."); + return; + } + U8 *src = &dataInfo->mData[dataInfo->mOffset]; memcpy(dest, src, length); dataInfo->mOffset += static_cast(length); @@ -120,7 +126,7 @@ void LLPngWrapper::writeFlush(png_structp png_ptr) // The scanline also begins at the bottom of // the image (per SecondLife conventions) instead of at the top, so we // must assign row-pointers in "reverse" order. -BOOL LLPngWrapper::readPng(U8* src, LLImageRaw* rawImage, ImageInfo *infop) +BOOL LLPngWrapper::readPng(U8* src, S32 dataSize, LLImageRaw* rawImage, ImageInfo *infop) { try { @@ -139,6 +145,7 @@ BOOL LLPngWrapper::readPng(U8* src, LLImageRaw* rawImage, ImageInfo *infop) PngDataInfo dataPtr; dataPtr.mData = src; dataPtr.mOffset = 0; + dataPtr.mDataSize = dataSize; png_set_read_fn(mReadPngPtr, &dataPtr, &readDataCallback); png_set_sig_bytes(mReadPngPtr, 0); diff --git a/indra/llimage/llpngwrapper.h b/indra/llimage/llpngwrapper.h index 397d316d0..7aeb1a09c 100644 --- a/indra/llimage/llpngwrapper.h +++ b/indra/llimage/llpngwrapper.h @@ -49,7 +49,7 @@ public: }; BOOL isValidPng(U8* src); - BOOL readPng(U8* src, LLImageRaw* rawImage, ImageInfo *infop = NULL); + BOOL readPng(U8* src, S32 dataSize, LLImageRaw* rawImage, ImageInfo *infop = NULL); BOOL writePng(const LLImageRaw* rawImage, U8* dst); U32 getFinalSize(); const std::string& getErrorMessage(); @@ -66,6 +66,7 @@ private: { U8 *mData; U32 mOffset; + S32 mDataSize; }; static void writeFlush(png_structp png_ptr);