Merge pull request #26700 from vrabaud:png_buffer_overflow

Fix heap buffer overflow in cv::PngDecoder::read_from_io
2025-12-06 12:19:50 +01:00 · 2025-01-03 10:39:23 +03:00 · 2025-01-03 10:39:23 +03:00 · 5e1eed5026
commit 5e1eed5026
parent ffd0548651 12963ea699
1 changed files with 1 additions and 1 deletions
--- a/modules/imgcodecs/src/grfmt_png.cpp
+++ b/modules/imgcodecs/src/grfmt_png.cpp
@ -655,7 +655,7 @@ size_t PngDecoder::read_from_io(void* _Buffer, size_t _ElementSize, size_t _Elem
    if (m_f)
        return fread(_Buffer, _ElementSize, _ElementCount, m_f);

-    if (m_buf_pos > m_buf.cols * m_buf.rows * m_buf.elemSize())
+    if (m_buf_pos + _ElementSize > m_buf.cols * m_buf.rows * m_buf.elemSize())
        CV_Error(Error::StsInternal, "PNG input buffer is incomplete");

    memcpy( _Buffer, m_buf.ptr() + m_buf_pos, _ElementSize );