Blame pngcheck-2.4.0-overflow-bz1897485.patch

cc48791
Fix buffer overflow reported in RHBZ #1897485.
cc48791
cc48791
When char is signed, casting to a (signed) int directly could produce a
cc48791
negative offset into the ASCII lookup table; adding an intermediate cast to uch
cc48791
(a typedef for unsigned char) ensures a nonnegative offset no greater than 255,
cc48791
which always corresponds to a valid table index.
cc48791
cc48791
diff -Naur pngcheck-2.4.0-original/pngcheck.c pngcheck-2.4.0/pngcheck.c
cc48791
--- pngcheck-2.4.0-original/pngcheck.c	2020-10-31 14:59:48.000000000 -0400
cc48791
+++ pngcheck-2.4.0/pngcheck.c	2020-11-13 09:51:34.834858819 -0500
cc48791
@@ -4926,8 +4926,10 @@
cc48791
 /* GRR 20061203:  now EBCDIC-safe */
cc48791
 int check_chunk_name(char *chunk_name, char *fname)
cc48791
 {
cc48791
-  if (isASCIIalpha((int)chunk_name[0]) && isASCIIalpha((int)chunk_name[1]) &&
cc48791
-      isASCIIalpha((int)chunk_name[2]) && isASCIIalpha((int)chunk_name[3]))
cc48791
+  if (isASCIIalpha((int)(uch)chunk_name[0]) &&
cc48791
+      isASCIIalpha((int)(uch)chunk_name[1]) &&
cc48791
+      isASCIIalpha((int)(uch)chunk_name[2]) &&
cc48791
+      isASCIIalpha((int)(uch)chunk_name[3]))
cc48791
     return 0;
cc48791
 
cc48791
   printf("%s%s  invalid chunk name \"%.*s\" (%02x %02x %02x %02x)\n",