[libpng12] Added png_check_chunk_length() function.
This commit is contained in:
parent
96091fe7ce
commit
4d4f472108
5
ANNOUNCE
5
ANNOUNCE
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
Libpng 1.2.58beta01 - December 30, 2016
|
Libpng 1.2.58beta01 - August 7, 2017
|
||||||
|
|
||||||
This is not intended to be a public release. It will be replaced
|
This is not intended to be a public release. It will be replaced
|
||||||
within a few weeks by a public version or by another test version.
|
within a few weeks by a public version or by another test version.
|
||||||
@ -40,7 +40,8 @@ Other information:
|
|||||||
|
|
||||||
Changes since the last public release (1.2.57):
|
Changes since the last public release (1.2.57):
|
||||||
|
|
||||||
version 1.2.58beta01 [December 30, 2016]
|
version 1.2.58beta01 [August 7, 2017]
|
||||||
|
Added png_check_chunk_length() function.
|
||||||
|
|
||||||
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
|
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
|
||||||
(subscription required; visit
|
(subscription required; visit
|
||||||
|
5
CHANGES
5
CHANGES
@ -2927,9 +2927,10 @@ version 1.2.57rc01 [December 27, 2016]
|
|||||||
|
|
||||||
version 1.0.67 and 1.2.57 [December 29, 2016]
|
version 1.0.67 and 1.2.57 [December 29, 2016]
|
||||||
Fixed a potential null pointer dereference in png_set_text_2() (bug report
|
Fixed a potential null pointer dereference in png_set_text_2() (bug report
|
||||||
and patch by Patrick Keshishian).
|
and patch by Patrick Keshishian, CVE-2016-10087).
|
||||||
|
|
||||||
version 1.2.58beta01 [December 30, 2016]
|
version 1.2.58beta01 [August 7, 2017]
|
||||||
|
Added png_check_chunk_length() function.
|
||||||
|
|
||||||
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
|
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
|
||||||
(subscription required; visit
|
(subscription required; visit
|
||||||
|
17
png.h
17
png.h
@ -1,7 +1,7 @@
|
|||||||
|
|
||||||
/* png.h - header file for PNG reference library
|
/* png.h - header file for PNG reference library
|
||||||
*
|
*
|
||||||
* libpng version 1.2.58beta01, December 30, 2016
|
* libpng version 1.2.58beta01, August 7, 2017
|
||||||
*
|
*
|
||||||
* Copyright (c) 1998-2017 Glenn Randers-Pehrson
|
* Copyright (c) 1998-2017 Glenn Randers-Pehrson
|
||||||
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
|
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
|
||||||
@ -12,7 +12,7 @@
|
|||||||
* Authors and maintainers:
|
* Authors and maintainers:
|
||||||
* libpng versions 0.71, May 1995, through 0.88, January 1996: Guy Schalnat
|
* libpng versions 0.71, May 1995, through 0.88, January 1996: Guy Schalnat
|
||||||
* libpng versions 0.89, June 1996, through 0.96, May 1997: Andreas Dilger
|
* libpng versions 0.89, June 1996, through 0.96, May 1997: Andreas Dilger
|
||||||
* libpng versions 0.97, January 1998, through 1.2.58beta01, December 30, 2016: Glenn
|
* libpng versions 0.97, January 1998, through 1.2.58beta01, August 7, 2017: Glenn
|
||||||
* See also "Contributing Authors", below.
|
* See also "Contributing Authors", below.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
@ -24,7 +24,7 @@
|
|||||||
*
|
*
|
||||||
* This code is released under the libpng license.
|
* This code is released under the libpng license.
|
||||||
*
|
*
|
||||||
* libpng versions 1.0.7, July 1, 2000, through 1.2.58beta01, December 30, 2016, are
|
* libpng versions 1.0.7, July 1, 2000, through 1.2.58beta01, August 7, 2017, are
|
||||||
* Copyright (c) 2000-2002, 2004, 2006-2017 Glenn Randers-Pehrson, are
|
* Copyright (c) 2000-2002, 2004, 2006-2017 Glenn Randers-Pehrson, are
|
||||||
* derived from libpng-1.0.6, and are distributed according to the same
|
* derived from libpng-1.0.6, and are distributed according to the same
|
||||||
* disclaimer and license as libpng-1.0.6 with the following individuals
|
* disclaimer and license as libpng-1.0.6 with the following individuals
|
||||||
@ -179,8 +179,8 @@
|
|||||||
* ...
|
* ...
|
||||||
* 1.0.19 10 10019 10.so.0.19[.0]
|
* 1.0.19 10 10019 10.so.0.19[.0]
|
||||||
* ...
|
* ...
|
||||||
* 1.0.67 10 10067 10.so.0.67[.0]
|
* 1.0.68 10 10068 10.so.0.68[.0]
|
||||||
* 1.2.57 13 10257 12.so.0.57[.0]
|
* 1.2.58 13 10258 12.so.0.58[.0]
|
||||||
*
|
*
|
||||||
* Henceforth the source version will match the shared-library major
|
* Henceforth the source version will match the shared-library major
|
||||||
* and minor numbers; the shared-library major version number will be
|
* and minor numbers; the shared-library major version number will be
|
||||||
@ -208,7 +208,7 @@
|
|||||||
* Y2K compliance in libpng:
|
* Y2K compliance in libpng:
|
||||||
* =========================
|
* =========================
|
||||||
*
|
*
|
||||||
* December 30, 2016
|
* August 7, 2017
|
||||||
*
|
*
|
||||||
* Since the PNG Development group is an ad-hoc body, we can't make
|
* Since the PNG Development group is an ad-hoc body, we can't make
|
||||||
* an official declaration.
|
* an official declaration.
|
||||||
@ -272,7 +272,7 @@
|
|||||||
/* Version information for png.h - this should match the version in png.c */
|
/* Version information for png.h - this should match the version in png.c */
|
||||||
#define PNG_LIBPNG_VER_STRING "1.2.58beta01"
|
#define PNG_LIBPNG_VER_STRING "1.2.58beta01"
|
||||||
#define PNG_HEADER_VERSION_STRING \
|
#define PNG_HEADER_VERSION_STRING \
|
||||||
" libpng version 1.2.58beta01 - December 30, 2016\n"
|
" libpng version 1.2.58beta01 - August 7, 2017\n"
|
||||||
|
|
||||||
#define PNG_LIBPNG_VER_SONUM 0
|
#define PNG_LIBPNG_VER_SONUM 0
|
||||||
#define PNG_LIBPNG_VER_DLLNUM 13
|
#define PNG_LIBPNG_VER_DLLNUM 13
|
||||||
@ -3409,6 +3409,9 @@ PNG_EXTERN void png_handle_unknown PNGARG((png_structp png_ptr,
|
|||||||
PNG_EXTERN void png_check_chunk_name PNGARG((png_structp png_ptr,
|
PNG_EXTERN void png_check_chunk_name PNGARG((png_structp png_ptr,
|
||||||
png_bytep chunk_name)) PNG_PRIVATE;
|
png_bytep chunk_name)) PNG_PRIVATE;
|
||||||
|
|
||||||
|
PNG_EXTERN void png_check_chunk_length PNGARG((png_structp png_ptr,
|
||||||
|
png_uint_32 chunk_length)) PNG_PRIVATE;
|
||||||
|
|
||||||
/* Handle the transformations for reading and writing */
|
/* Handle the transformations for reading and writing */
|
||||||
PNG_EXTERN void png_do_read_transformations
|
PNG_EXTERN void png_do_read_transformations
|
||||||
PNGARG((png_structp png_ptr)) PNG_PRIVATE;
|
PNGARG((png_structp png_ptr)) PNG_PRIVATE;
|
||||||
|
@ -205,6 +205,7 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr)
|
|||||||
png_reset_crc(png_ptr);
|
png_reset_crc(png_ptr);
|
||||||
png_crc_read(png_ptr, png_ptr->chunk_name, 4);
|
png_crc_read(png_ptr, png_ptr->chunk_name, 4);
|
||||||
png_check_chunk_name(png_ptr, png_ptr->chunk_name);
|
png_check_chunk_name(png_ptr, png_ptr->chunk_name);
|
||||||
|
png_check_chunk_length(png_ptr, png_ptr->push_length);
|
||||||
png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
|
png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
38
pngrutil.c
38
pngrutil.c
@ -131,6 +131,9 @@ png_read_chunk_header(png_structp png_ptr)
|
|||||||
/* Check to see if chunk name is valid */
|
/* Check to see if chunk name is valid */
|
||||||
png_check_chunk_name(png_ptr, png_ptr->chunk_name);
|
png_check_chunk_name(png_ptr, png_ptr->chunk_name);
|
||||||
|
|
||||||
|
/* Check for too-large chunk length */
|
||||||
|
png_check_chunk_length(png_ptr, length);
|
||||||
|
|
||||||
return length;
|
return length;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2506,6 +2509,41 @@ png_check_chunk_name(png_structp png_ptr, png_bytep chunk_name)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void /* PRIVATE */
|
||||||
|
png_check_chunk_length(png_structp png_ptr, png_uint_32 length)
|
||||||
|
{
|
||||||
|
png_uint_32 limit = PNG_UINT_31_MAX;
|
||||||
|
|
||||||
|
/* if (png_ptr->chunk_name != "IDAT") */
|
||||||
|
if (png_ptr->chunk_name[0] != 73 || png_ptr->chunk_name[1] !=68 ||
|
||||||
|
png_ptr->chunk_name[2] != 65 || png_ptr->chunk_name[3] !=84)
|
||||||
|
{
|
||||||
|
# if PNG_USER_CHUNK_MALLOC_MAX > 0
|
||||||
|
if (PNG_USER_CHUNK_MALLOC_MAX < limit)
|
||||||
|
limit = PNG_USER_CHUNK_MALLOC_MAX;
|
||||||
|
# endif
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
size_t row_factor =
|
||||||
|
(png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
|
||||||
|
+ 1 + (png_ptr->interlaced? 6: 0));
|
||||||
|
if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
|
||||||
|
limit=PNG_UINT_31_MAX;
|
||||||
|
else
|
||||||
|
limit = png_ptr->height * row_factor;
|
||||||
|
limit += 6 + 5*(limit/32566+1); /* zlib+deflate overhead */
|
||||||
|
limit=limit < PNG_UINT_31_MAX? limit : PNG_UINT_31_MAX;
|
||||||
|
}
|
||||||
|
if (length > limit)
|
||||||
|
{
|
||||||
|
png_debug2(0," length = %lu, limit = %lu",
|
||||||
|
(unsigned long)length,(unsigned long)limit);
|
||||||
|
png_chunk_error(png_ptr, "chunk data is too large");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/* Combines the row recently read in with the existing pixels in the
|
/* Combines the row recently read in with the existing pixels in the
|
||||||
row. This routine takes care of alpha and transparency if requested.
|
row. This routine takes care of alpha and transparency if requested.
|
||||||
This routine also handles the two methods of progressive display
|
This routine also handles the two methods of progressive display
|
||||||
|
Reference in New Issue
Block a user