[libpng12] Use a more generous size limit for IDAT chunks

ANNOUNCE

@@ -1,5 +1,5 @@
 
-Libpng 1.2.59beta01 - August 28, 2017
+Libpng 1.2.59beta02 - September 3, 2017
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -9,34 +9,34 @@ Files available for download:
 Source files with LF line endings (for Unix/Linux) and with a
 "configure" script
 
-   libpng-1.2.59beta01.tar.xz (LZMA-compressed, recommended)
-   libpng-1.2.59beta01.tar.gz
+   libpng-1.2.59beta02.tar.xz (LZMA-compressed, recommended)
+   libpng-1.2.59beta02.tar.gz
 
 Source files with LF line endings (for Unix/Linux) without the
 "configure" script
 
-   libpng-1.2.59beta01-no-config.tar.xz (LZMA-compressed, recommended)
-   libpng-1.2.59beta01-no-config.tar.gz
+   libpng-1.2.59beta02-no-config.tar.xz (LZMA-compressed, recommended)
+   libpng-1.2.59beta02-no-config.tar.gz
 
 Source files with CRLF line endings (for Windows), without the
 "configure" script
 
-   lp1259b01.zip
-   lp1259b01.7z
+   lp1259b02.zip
+   lp1259b02.7z
 
 Project files
 
-   libpng-1.2.59beta01-project-netware.zip
-   libpng-1.2.59beta01-project-wince.zip
+   libpng-1.2.59beta02-project-netware.zip
+   libpng-1.2.59beta02-project-wince.zip
 
 Other information:
 
-   libpng-1.2.59beta01-README.txt
-   libpng-1.2.59beta01-KNOWNBUGS.txt
-   libpng-1.2.59beta01-LICENSE.txt
-   libpng-1.2.59beta01-Y2K-compliance.txt
-   libpng-1.2.59beta01-[previous version]-diff.txt
-   libpng-1.2.59beta01-*.asc (armored detached GPG signatures)
+   libpng-1.2.59beta02-README.txt
+   libpng-1.2.59beta02-KNOWNBUGS.txt
+   libpng-1.2.59beta02-LICENSE.txt
+   libpng-1.2.59beta02-Y2K-compliance.txt
+   libpng-1.2.59beta02-[previous version]-diff.txt
+   libpng-1.2.59beta02-*.asc (armored detached GPG signatures)
 
 Changes since the last public release (1.2.58):
 
@@ -44,6 +44,10 @@ Version 1.2.59beta01 [August 28, 2017]
   Added PNGMINUS_UNUSED macro to contrib/pngminus/p*.c and added missing
     parenthesis in contrib/pngminus/pnm2png.c (bug report by Christian Hesse).
 
+Version 1.2.59beta02 [September 3, 2017]
+  Compute a larger limit on IDAT because some applications write a deflate
+    buffer for each row (Bug report by Andrew Church).
+
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement

CHANGES

@@ -2932,20 +2932,24 @@ version 1.0.67 and 1.2.57 [December 29, 2016]
 version 1.2.58beta01 [August 11, 2017]
   Added png_check_chunk_length() function, and check all chunks except
     IDAT against the default 8MB limit; check IDAT against the maximum
-    size computed from IHDR parameters.
+    size computed from IHDR parameters (Fixes CVE-2017-12652).
 
 version 1.2.58rc01 [August 19, 2017]
   Check for 0 return from png_get_rowbytes() and added some (size_t) typecasts
     in contrib/pngminus/*.c to stop some Coverity issues (162705, 162706,
     and 162707).
 
-version 1.0.68 and 1.2.58 [August 28, 2017]
+version 1.0.68 and 1.2.58 [September 3, 2017]
   No changes.
 
 Version 1.2.59beta01 [August 28, 2017]
   Added PNGMINUS_UNUSED macro to contrib/pngminus/p*.c and added missing
     parenthesis in contrib/pngminus/pnm2png.c (bug report by Christian Hesse).
 
+Version 1.2.59beta02 [September 3, 2017]
+  Compute a larger limit on IDAT because some applications write a deflate
+    buffer for each row (Bug report by Andrew Church).
+
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement

pngrutil.c

@@ -1,7 +1,7 @@
 
 /* pngrutil.c - utilities to read a PNG file
  *
- * Last changed in libpng 1.2.58 [August 24, 2017]
+ * Last changed in libpng 1.2.59 [(PENDING RELEASE)]
  * Copyright (c) 1998-2002,2004,2006-2015,2017 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -2513,28 +2513,28 @@ void /* PRIVATE */
 png_check_chunk_length(png_structp png_ptr, png_uint_32 length)
 {
    png_uint_32 limit = PNG_UINT_31_MAX;
-
-   /* if (png_ptr->chunk_name != "IDAT") */
-   if (png_ptr->chunk_name[0] != 73 || png_ptr->chunk_name[1] !=68 ||
-       png_ptr->chunk_name[2] != 65 || png_ptr->chunk_name[3] !=84)
-   {
 # if PNG_USER_CHUNK_MALLOC_MAX > 0
       if (PNG_USER_CHUNK_MALLOC_MAX < limit)
          limit = PNG_USER_CHUNK_MALLOC_MAX;
 # endif
-   }
-   else
+   /* if (png_ptr->chunk_name == png_IDAT) */
+   if (png_ptr->chunk_name[0] != 73 || png_ptr->chunk_name[1] !=68 ||
+       png_ptr->chunk_name[2] != 65 || png_ptr->chunk_name[3] !=84)
    {
+      png_uint_32 idat_limit = PNG_UINT_31_MAX;
       size_t row_factor =
          (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
           + 1 + (png_ptr->interlaced? 6: 0));
       if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
-         limit=PNG_UINT_31_MAX;
+         idat_limit=PNG_UINT_31_MAX;
       else
-         limit = png_ptr->height * row_factor;
-      limit += 6 + 5*(limit/32566+1); /* zlib+deflate overhead */
-      limit=limit < PNG_UINT_31_MAX? limit : PNG_UINT_31_MAX;
+         idat_limit = png_ptr->height * row_factor;
+      row_factor = row_factor > 32566? 32566 : row_factor;
+      idat_limit += 6 + 5*(idat_limit/row_factor+1); /* zlib+deflate overhead */
+      idat_limit=idat_limit < PNG_UINT_31_MAX? idat_limit : PNG_UINT_31_MAX;
+      limit = limit < idat_limit? idat_limit : limit;
    }
+
    if (length > limit)
    {
       png_debug2(0," length = %lu, limit = %lu",
@@ -2543,7 +2543,6 @@ png_check_chunk_length(png_structp png_ptr, png_uint_32 length)
    }
 }
 
-
 /* Combines the row recently read in with the existing pixels in the
    row.  This routine takes care of alpha and transparency if requested.
    This routine also handles the two methods of progressive display