[libpng12] Added png_check_chunk_length() function.

ANNOUNCE

@@ -1,5 +1,5 @@
 
-Libpng 1.2.58beta01 - December 30, 2016
+Libpng 1.2.58beta01 - August 7, 2017
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -40,7 +40,8 @@ Other information:
 
 Changes since the last public release (1.2.57):
 
-version 1.2.58beta01 [December 30, 2016]
+version 1.2.58beta01 [August 7, 2017]
+   Added png_check_chunk_length() function.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

CHANGES

@@ -2927,9 +2927,10 @@ version 1.2.57rc01 [December 27, 2016]
 
 version 1.0.67 and 1.2.57 [December 29, 2016]
   Fixed a potential null pointer dereference in png_set_text_2() (bug report
-    and patch by Patrick Keshishian).
+    and patch by Patrick Keshishian, CVE-2016-10087).
 
-version 1.2.58beta01 [December 30, 2016]
+version 1.2.58beta01 [August 7, 2017]
+   Added png_check_chunk_length() function.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

png.h

@@ -1,7 +1,7 @@
 
 /* png.h - header file for PNG reference library
  *
- * libpng version 1.2.58beta01, December 30, 2016
+ * libpng version 1.2.58beta01, August 7, 2017
  *
  * Copyright (c) 1998-2017 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
@@ -12,7 +12,7 @@
  * Authors and maintainers:
  *  libpng versions 0.71, May 1995, through 0.88, January 1996: Guy Schalnat
  *  libpng versions 0.89, June 1996, through 0.96, May 1997: Andreas Dilger
- *  libpng versions 0.97, January 1998, through 1.2.58beta01, December 30, 2016: Glenn
+ *  libpng versions 0.97, January 1998, through 1.2.58beta01, August 7, 2017: Glenn
  *  See also "Contributing Authors", below.
  */
 
@@ -24,7 +24,7 @@
  *
  * This code is released under the libpng license.
  *
- * libpng versions 1.0.7, July 1, 2000, through 1.2.58beta01, December 30, 2016, are
+ * libpng versions 1.0.7, July 1, 2000, through 1.2.58beta01, August 7, 2017, are
  * Copyright (c) 2000-2002, 2004, 2006-2017 Glenn Randers-Pehrson, are
  * derived from libpng-1.0.6, and are distributed according to the same
  * disclaimer and license as libpng-1.0.6 with the following individuals
@@ -179,8 +179,8 @@
  *    ...
  *    1.0.19                  10    10019  10.so.0.19[.0]
  *    ...
- *    1.0.67                  10    10067  10.so.0.67[.0]
- *    1.2.57                  13    10257  12.so.0.57[.0]
+ *    1.0.68                  10    10068  10.so.0.68[.0]
+ *    1.2.58                  13    10258  12.so.0.58[.0]
  *
  *    Henceforth the source version will match the shared-library major
  *    and minor numbers; the shared-library major version number will be
@@ -208,7 +208,7 @@
  * Y2K compliance in libpng:
  * =========================
  *
- *    December 30, 2016
+ *    August 7, 2017
  *
  *    Since the PNG Development group is an ad-hoc body, we can't make
  *    an official declaration.
@@ -272,7 +272,7 @@
 /* Version information for png.h - this should match the version in png.c */
 #define PNG_LIBPNG_VER_STRING "1.2.58beta01"
 #define PNG_HEADER_VERSION_STRING \
-   " libpng version 1.2.58beta01 - December 30, 2016\n"
+   " libpng version 1.2.58beta01 - August 7, 2017\n"
 
 #define PNG_LIBPNG_VER_SONUM   0
 #define PNG_LIBPNG_VER_DLLNUM  13
@@ -3409,6 +3409,9 @@ PNG_EXTERN void png_handle_unknown PNGARG((png_structp png_ptr,
 PNG_EXTERN void png_check_chunk_name PNGARG((png_structp png_ptr,
    png_bytep chunk_name)) PNG_PRIVATE;
 
+PNG_EXTERN void png_check_chunk_length PNGARG((png_structp png_ptr,
+   png_uint_32 chunk_length)) PNG_PRIVATE;
+
 /* Handle the transformations for reading and writing */
 PNG_EXTERN void png_do_read_transformations
    PNGARG((png_structp png_ptr)) PNG_PRIVATE;

pngpread.c

@@ -205,6 +205,7 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr)
       png_reset_crc(png_ptr);
       png_crc_read(png_ptr, png_ptr->chunk_name, 4);
       png_check_chunk_name(png_ptr, png_ptr->chunk_name);
+      png_check_chunk_length(png_ptr, png_ptr->push_length);
       png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
    }
 

pngrutil.c

@@ -131,6 +131,9 @@ png_read_chunk_header(png_structp png_ptr)
    /* Check to see if chunk name is valid */
    png_check_chunk_name(png_ptr, png_ptr->chunk_name);
 
+   /* Check for too-large chunk length */
+   png_check_chunk_length(png_ptr, length);
+
    return length;
 }
 
@@ -2506,6 +2509,41 @@ png_check_chunk_name(png_structp png_ptr, png_bytep chunk_name)
    }
 }
 
+void /* PRIVATE */
+png_check_chunk_length(png_structp png_ptr, png_uint_32 length)
+{
+   png_uint_32 limit = PNG_UINT_31_MAX;
+
+   /* if (png_ptr->chunk_name != "IDAT") */
+   if (png_ptr->chunk_name[0] != 73 || png_ptr->chunk_name[1] !=68 ||
+       png_ptr->chunk_name[2] != 65 || png_ptr->chunk_name[3] !=84)
+   {
+# if PNG_USER_CHUNK_MALLOC_MAX > 0
+      if (PNG_USER_CHUNK_MALLOC_MAX < limit)
+         limit = PNG_USER_CHUNK_MALLOC_MAX;
+# endif
+   }
+   else
+   {
+      size_t row_factor =
+         (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
+          + 1 + (png_ptr->interlaced? 6: 0));
+      if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
+         limit=PNG_UINT_31_MAX;
+      else
+         limit = png_ptr->height * row_factor;
+      limit += 6 + 5*(limit/32566+1); /* zlib+deflate overhead */
+      limit=limit < PNG_UINT_31_MAX? limit : PNG_UINT_31_MAX;
+   }
+   if (length > limit)
+   {
+      png_debug2(0," length = %lu, limit = %lu",
+         (unsigned long)length,(unsigned long)limit);
+      png_chunk_error(png_ptr, "chunk data is too large");
+   }
+}
+
+
 /* Combines the row recently read in with the existing pixels in the
    row.  This routine takes care of alpha and transparency if requested.
    This routine also handles the two methods of progressive display