From 3ef1be9783ca02ed8d786e0c3d4a992e00711c51 Mon Sep 17 00:00:00 2001
From: Jay Berkenbilt <ejb@ql.org>
Date: Thu, 31 Aug 2017 07:26:58 -0400
Subject: PNGFilter: Better range checking for columns

---
 libqpdf/Pl_PNGFilter.cc | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'libqpdf/Pl_PNGFilter.cc')

diff --git a/libqpdf/Pl_PNGFilter.cc b/libqpdf/Pl_PNGFilter.cc
index 1566c8a5..78398736 100644
--- a/libqpdf/Pl_PNGFilter.cc
+++ b/libqpdf/Pl_PNGFilter.cc
@@ -1,6 +1,7 @@
 #include <qpdf/Pl_PNGFilter.hh>
 #include <stdexcept>
 #include <string.h>
+#include <limits.h>
 
 Pl_PNGFilter::Pl_PNGFilter(char const* identifier, Pipeline* next,
 			   action_e action, unsigned int columns,
@@ -14,9 +15,10 @@ Pl_PNGFilter::Pl_PNGFilter(char const* identifier, Pipeline* next,
     buf2(0),
     pos(0)
 {
-    if (columns == 0)
+    if ((columns == 0) || (columns > UINT_MAX - 1))
     {
-        throw std::runtime_error("PNGFilter created with columns = 0");
+        throw std::runtime_error(
+            "PNGFilter created with invalid columns value");
     }
     this->buf1 = new unsigned char[columns + 1];
     this->buf2 = new unsigned char[columns + 1];
-- 
cgit v1.2.3-54-g00ecf