[SECURITY] Avoid free'ing a wild pointer on PNG decode

In certain cases, a PNG could be fed into `load_png` which would act as
a DoS vector.

I fixed this in two ways:

* making sure `rows` is instantiated to NULL and checking if it's NULL
  before freeing it;
* the minimum length of PNG data is known to be 67 bytes. So, if it's
  less, we know we can error out.

Resolves CVE-2020-11721.
Closes saitoha/libpixel#134.
Closes #9.

Author: ctrlcctrlv

src/loader.c

@@ -317,7 +317,7 @@ load_png(unsigned char      /* out */ **result,
 # pragma GCC diagnostic push
 # pragma GCC diagnostic ignored "-Wclobbered"
 #endif
-    unsigned char **rows;
+    unsigned char **rows = NULL;
     png_color *png_palette = NULL;
     png_color_16 background;
     png_color_16p default_background;
@@ -336,7 +336,6 @@ load_png(unsigned char      /* out */ **result,
 #endif  /* HAVE_SETJMP && HAVE_LONGJMP */
 
     status = SIXEL_FALSE;
-    rows = NULL;
     *result = NULL;
 
     png_ptr = png_create_read_struct(
@@ -348,6 +347,14 @@ load_png(unsigned char      /* out */ **result,
         goto cleanup;
     }
 
+    // The minimum valid PNG is 67 bytes.
+    // https://garethrees.org/2007/11/14/pngcrush/
+    if (size < 67) {
+        sixel_helper_set_additional_message("PNG data too small to be valid!");
+        status = SIXEL_PNG_ERROR;
+        goto cleanup;
+    }
+
 #if HAVE_SETJMP
     if (setjmp(png_jmpbuf(png_ptr)) != 0) {
         sixel_allocator_free(allocator, *result);
@@ -357,6 +364,7 @@ load_png(unsigned char      /* out */ **result,
     }
 #endif  /* HAVE_SETJMP */
 
+
     info_ptr = png_create_info_struct(png_ptr);
     if (!info_ptr) {
         sixel_helper_set_additional_message(
@@ -647,7 +655,10 @@ load_png(unsigned char      /* out */ **result,
 
 cleanup:
     png_destroy_read_struct(&png_ptr, &info_ptr,(png_infopp)0);
-    sixel_allocator_free(allocator, rows);
+
+    if (rows != NULL) {
+        sixel_allocator_free(allocator, rows);
+    }
 
     return status;
 }