[libpng12] Added png_check_chunk_length() function.

This commit is contained in:
Glenn Randers-Pehrson 2017-08-07 05:51:12 -05:00
parent 96091fe7ce
commit 4d4f472108
5 changed files with 55 additions and 11 deletions

View File

@ -1,5 +1,5 @@
Libpng 1.2.58beta01 - December 30, 2016 Libpng 1.2.58beta01 - August 7, 2017
This is not intended to be a public release. It will be replaced This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version. within a few weeks by a public version or by another test version.
@ -40,7 +40,8 @@ Other information:
Changes since the last public release (1.2.57): Changes since the last public release (1.2.57):
version 1.2.58beta01 [December 30, 2016] version 1.2.58beta01 [August 7, 2017]
Added png_check_chunk_length() function.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

View File

@ -2927,9 +2927,10 @@ version 1.2.57rc01 [December 27, 2016]
version 1.0.67 and 1.2.57 [December 29, 2016] version 1.0.67 and 1.2.57 [December 29, 2016]
Fixed a potential null pointer dereference in png_set_text_2() (bug report Fixed a potential null pointer dereference in png_set_text_2() (bug report
and patch by Patrick Keshishian). and patch by Patrick Keshishian, CVE-2016-10087).
version 1.2.58beta01 [December 30, 2016] version 1.2.58beta01 [August 7, 2017]
Added png_check_chunk_length() function.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

17
png.h
View File

@ -1,7 +1,7 @@
/* png.h - header file for PNG reference library /* png.h - header file for PNG reference library
* *
* libpng version 1.2.58beta01, December 30, 2016 * libpng version 1.2.58beta01, August 7, 2017
* *
* Copyright (c) 1998-2017 Glenn Randers-Pehrson * Copyright (c) 1998-2017 Glenn Randers-Pehrson
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
@ -12,7 +12,7 @@
* Authors and maintainers: * Authors and maintainers:
* libpng versions 0.71, May 1995, through 0.88, January 1996: Guy Schalnat * libpng versions 0.71, May 1995, through 0.88, January 1996: Guy Schalnat
* libpng versions 0.89, June 1996, through 0.96, May 1997: Andreas Dilger * libpng versions 0.89, June 1996, through 0.96, May 1997: Andreas Dilger
* libpng versions 0.97, January 1998, through 1.2.58beta01, December 30, 2016: Glenn * libpng versions 0.97, January 1998, through 1.2.58beta01, August 7, 2017: Glenn
* See also "Contributing Authors", below. * See also "Contributing Authors", below.
*/ */
@ -24,7 +24,7 @@
* *
* This code is released under the libpng license. * This code is released under the libpng license.
* *
* libpng versions 1.0.7, July 1, 2000, through 1.2.58beta01, December 30, 2016, are * libpng versions 1.0.7, July 1, 2000, through 1.2.58beta01, August 7, 2017, are
* Copyright (c) 2000-2002, 2004, 2006-2017 Glenn Randers-Pehrson, are * Copyright (c) 2000-2002, 2004, 2006-2017 Glenn Randers-Pehrson, are
* derived from libpng-1.0.6, and are distributed according to the same * derived from libpng-1.0.6, and are distributed according to the same
* disclaimer and license as libpng-1.0.6 with the following individuals * disclaimer and license as libpng-1.0.6 with the following individuals
@ -179,8 +179,8 @@
* ... * ...
* 1.0.19 10 10019 10.so.0.19[.0] * 1.0.19 10 10019 10.so.0.19[.0]
* ... * ...
* 1.0.67 10 10067 10.so.0.67[.0] * 1.0.68 10 10068 10.so.0.68[.0]
* 1.2.57 13 10257 12.so.0.57[.0] * 1.2.58 13 10258 12.so.0.58[.0]
* *
* Henceforth the source version will match the shared-library major * Henceforth the source version will match the shared-library major
* and minor numbers; the shared-library major version number will be * and minor numbers; the shared-library major version number will be
@ -208,7 +208,7 @@
* Y2K compliance in libpng: * Y2K compliance in libpng:
* ========================= * =========================
* *
* December 30, 2016 * August 7, 2017
* *
* Since the PNG Development group is an ad-hoc body, we can't make * Since the PNG Development group is an ad-hoc body, we can't make
* an official declaration. * an official declaration.
@ -272,7 +272,7 @@
/* Version information for png.h - this should match the version in png.c */ /* Version information for png.h - this should match the version in png.c */
#define PNG_LIBPNG_VER_STRING "1.2.58beta01" #define PNG_LIBPNG_VER_STRING "1.2.58beta01"
#define PNG_HEADER_VERSION_STRING \ #define PNG_HEADER_VERSION_STRING \
" libpng version 1.2.58beta01 - December 30, 2016\n" " libpng version 1.2.58beta01 - August 7, 2017\n"
#define PNG_LIBPNG_VER_SONUM 0 #define PNG_LIBPNG_VER_SONUM 0
#define PNG_LIBPNG_VER_DLLNUM 13 #define PNG_LIBPNG_VER_DLLNUM 13
@ -3409,6 +3409,9 @@ PNG_EXTERN void png_handle_unknown PNGARG((png_structp png_ptr,
PNG_EXTERN void png_check_chunk_name PNGARG((png_structp png_ptr, PNG_EXTERN void png_check_chunk_name PNGARG((png_structp png_ptr,
png_bytep chunk_name)) PNG_PRIVATE; png_bytep chunk_name)) PNG_PRIVATE;
PNG_EXTERN void png_check_chunk_length PNGARG((png_structp png_ptr,
png_uint_32 chunk_length)) PNG_PRIVATE;
/* Handle the transformations for reading and writing */ /* Handle the transformations for reading and writing */
PNG_EXTERN void png_do_read_transformations PNG_EXTERN void png_do_read_transformations
PNGARG((png_structp png_ptr)) PNG_PRIVATE; PNGARG((png_structp png_ptr)) PNG_PRIVATE;

View File

@ -205,6 +205,7 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr)
png_reset_crc(png_ptr); png_reset_crc(png_ptr);
png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_crc_read(png_ptr, png_ptr->chunk_name, 4);
png_check_chunk_name(png_ptr, png_ptr->chunk_name); png_check_chunk_name(png_ptr, png_ptr->chunk_name);
png_check_chunk_length(png_ptr, png_ptr->push_length);
png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
} }

View File

@ -131,6 +131,9 @@ png_read_chunk_header(png_structp png_ptr)
/* Check to see if chunk name is valid */ /* Check to see if chunk name is valid */
png_check_chunk_name(png_ptr, png_ptr->chunk_name); png_check_chunk_name(png_ptr, png_ptr->chunk_name);
/* Check for too-large chunk length */
png_check_chunk_length(png_ptr, length);
return length; return length;
} }
@ -2506,6 +2509,41 @@ png_check_chunk_name(png_structp png_ptr, png_bytep chunk_name)
} }
} }
void /* PRIVATE */
png_check_chunk_length(png_structp png_ptr, png_uint_32 length)
{
png_uint_32 limit = PNG_UINT_31_MAX;
/* if (png_ptr->chunk_name != "IDAT") */
if (png_ptr->chunk_name[0] != 73 || png_ptr->chunk_name[1] !=68 ||
png_ptr->chunk_name[2] != 65 || png_ptr->chunk_name[3] !=84)
{
# if PNG_USER_CHUNK_MALLOC_MAX > 0
if (PNG_USER_CHUNK_MALLOC_MAX < limit)
limit = PNG_USER_CHUNK_MALLOC_MAX;
# endif
}
else
{
size_t row_factor =
(png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
+ 1 + (png_ptr->interlaced? 6: 0));
if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
limit=PNG_UINT_31_MAX;
else
limit = png_ptr->height * row_factor;
limit += 6 + 5*(limit/32566+1); /* zlib+deflate overhead */
limit=limit < PNG_UINT_31_MAX? limit : PNG_UINT_31_MAX;
}
if (length > limit)
{
png_debug2(0," length = %lu, limit = %lu",
(unsigned long)length,(unsigned long)limit);
png_chunk_error(png_ptr, "chunk data is too large");
}
}
/* Combines the row recently read in with the existing pixels in the /* Combines the row recently read in with the existing pixels in the
row. This routine takes care of alpha and transparency if requested. row. This routine takes care of alpha and transparency if requested.
This routine also handles the two methods of progressive display This routine also handles the two methods of progressive display