[png] Fix potential integer overflow

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/image/png.c b/src/image/png.c
index 5c4bcb3a05646aba538e6dc0719476a0eb64d48a..d5cf7fd8f8874b10c42bde1dd5c3681a1d9f91c6 100644 (file)
--- a/src/image/png.c
+++ b/src/image/png.c
@@ -924,9 +924,9 @@ static int png_pixbuf ( struct image *image, struct pixel_buffer **pixbuf ) {
 
                /* Extract chunk header */
                remaining = ( image->len - png->offset );
-               if ( remaining < sizeof ( header ) ) {
-                       DBGC ( image, "PNG %s truncated chunk header at offset "
-                              "%zd\n", image->name, png->offset );
+               if ( remaining < ( sizeof ( header ) + sizeof ( footer ) ) ) {
+                       DBGC ( image, "PNG %s truncated chunk header/footer "
+                              "at offset %zd\n", image->name, png->offset );
                        rc = -EINVAL;
                        goto err_truncated;
                }
@@ -936,10 +936,10 @@ static int png_pixbuf ( struct image *image, struct pixel_buffer **pixbuf ) {
 
                /* Validate chunk length */
                chunk_len = ntohl ( header.len );
-               if ( remaining < ( sizeof ( header ) + chunk_len +
+               if ( chunk_len > ( remaining - sizeof ( header ) -
                                   sizeof ( footer ) ) ) {
-                       DBGC ( image, "PNG %s truncated chunk data/footer at "
-                              "offset %zd\n", image->name, png->offset );
+                       DBGC ( image, "PNG %s truncated chunk data at offset "
+                              "%zd\n", image->name, png->offset );
                        rc = -EINVAL;
                        goto err_truncated;
                }