From 9f22cc900810d93ed7808f31b90ade0c7c915e6a Mon Sep 17 00:00:00 2001
From: Neil Bickford <nbickford@nvidia.com>
Date: Fri, 15 Oct 2021 11:04:41 -0700
Subject: [PATCH] stb_image PNG: Checks for invalid DEFLATE codes.

Specifically, this rejects length codes 286 and 287, and distance codes 30 and 31.
This avoids a scenario in which a file could contain a table in which
0 corresponded to length code 287, which would result in writing 0 bits.

Signed-off-by: Neil Bickford <nbickford@nvidia.com>
---
 stb_image.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/stb_image.h b/stb_image.h
index d60371b..ab616c5 100644
--- a/stb_image.h
+++ b/stb_image.h
@@ -4256,11 +4256,12 @@ static int stbi__parse_huffman_block(stbi__zbuf *a)
             a->zout = zout;
             return 1;
          }
+         if (z >= 286) return stbi__err("bad huffman code","Corrupt PNG"); // per DEFLATE, length codes 286 and 287 must not appear in compressed data
          z -= 257;
          len = stbi__zlength_base[z];
          if (stbi__zlength_extra[z]) len += stbi__zreceive(a, stbi__zlength_extra[z]);
          z = stbi__zhuffman_decode(a, &a->z_distance);
-         if (z < 0) return stbi__err("bad huffman code","Corrupt PNG");
+         if (z < 0 || z >= 30) return stbi__err("bad huffman code","Corrupt PNG"); // per DEFLATE, distance codes 30 and 31 must not appear in compressed data
          dist = stbi__zdist_base[z];
          if (stbi__zdist_extra[z]) dist += stbi__zreceive(a, stbi__zdist_extra[z]);
          if (zout - a->zout_start < dist) return stbi__err("bad dist","Corrupt PNG");