From d9b0182e50e5c6315f1bb05bca934f34224caebb Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Sun, 3 Sep 2017 09:24:10 -0500 Subject: [PATCH] [libpng12] Use a more generous size limit for IDAT chunks --- ANNOUNCE | 34 +++++++++++++++++++--------------- CHANGES | 8 ++++++-- pngrutil.c | 25 ++++++++++++------------- 3 files changed, 37 insertions(+), 30 deletions(-) diff --git a/ANNOUNCE b/ANNOUNCE index 8b86f90a..88f49ce5 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,5 +1,5 @@ -Libpng 1.2.59beta01 - August 28, 2017 +Libpng 1.2.59beta02 - September 3, 2017 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -9,34 +9,34 @@ Files available for download: Source files with LF line endings (for Unix/Linux) and with a "configure" script - libpng-1.2.59beta01.tar.xz (LZMA-compressed, recommended) - libpng-1.2.59beta01.tar.gz + libpng-1.2.59beta02.tar.xz (LZMA-compressed, recommended) + libpng-1.2.59beta02.tar.gz Source files with LF line endings (for Unix/Linux) without the "configure" script - libpng-1.2.59beta01-no-config.tar.xz (LZMA-compressed, recommended) - libpng-1.2.59beta01-no-config.tar.gz + libpng-1.2.59beta02-no-config.tar.xz (LZMA-compressed, recommended) + libpng-1.2.59beta02-no-config.tar.gz Source files with CRLF line endings (for Windows), without the "configure" script - lp1259b01.zip - lp1259b01.7z + lp1259b02.zip + lp1259b02.7z Project files - libpng-1.2.59beta01-project-netware.zip - libpng-1.2.59beta01-project-wince.zip + libpng-1.2.59beta02-project-netware.zip + libpng-1.2.59beta02-project-wince.zip Other information: - libpng-1.2.59beta01-README.txt - libpng-1.2.59beta01-KNOWNBUGS.txt - libpng-1.2.59beta01-LICENSE.txt - libpng-1.2.59beta01-Y2K-compliance.txt - libpng-1.2.59beta01-[previous version]-diff.txt - libpng-1.2.59beta01-*.asc (armored detached GPG signatures) + libpng-1.2.59beta02-README.txt + libpng-1.2.59beta02-KNOWNBUGS.txt + libpng-1.2.59beta02-LICENSE.txt + libpng-1.2.59beta02-Y2K-compliance.txt + libpng-1.2.59beta02-[previous version]-diff.txt + libpng-1.2.59beta02-*.asc (armored detached GPG signatures) Changes since the last public release (1.2.58): @@ -44,6 +44,10 @@ Version 1.2.59beta01 [August 28, 2017] Added PNGMINUS_UNUSED macro to contrib/pngminus/p*.c and added missing parenthesis in contrib/pngminus/pnm2png.c (bug report by Christian Hesse). +Version 1.2.59beta02 [September 3, 2017] + Compute a larger limit on IDAT because some applications write a deflate + buffer for each row (Bug report by Andrew Church). + Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement diff --git a/CHANGES b/CHANGES index 266a560f..4186bf17 100644 --- a/CHANGES +++ b/CHANGES @@ -2932,20 +2932,24 @@ version 1.0.67 and 1.2.57 [December 29, 2016] version 1.2.58beta01 [August 11, 2017] Added png_check_chunk_length() function, and check all chunks except IDAT against the default 8MB limit; check IDAT against the maximum - size computed from IHDR parameters. + size computed from IHDR parameters (Fixes CVE-2017-12652). version 1.2.58rc01 [August 19, 2017] Check for 0 return from png_get_rowbytes() and added some (size_t) typecasts in contrib/pngminus/*.c to stop some Coverity issues (162705, 162706, and 162707). -version 1.0.68 and 1.2.58 [August 28, 2017] +version 1.0.68 and 1.2.58 [September 3, 2017] No changes. Version 1.2.59beta01 [August 28, 2017] Added PNGMINUS_UNUSED macro to contrib/pngminus/p*.c and added missing parenthesis in contrib/pngminus/pnm2png.c (bug report by Christian Hesse). +Version 1.2.59beta02 [September 3, 2017] + Compute a larger limit on IDAT because some applications write a deflate + buffer for each row (Bug report by Andrew Church). + Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement diff --git a/pngrutil.c b/pngrutil.c index ca15ccf2..2b62f24d 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -1,7 +1,7 @@ /* pngrutil.c - utilities to read a PNG file * - * Last changed in libpng 1.2.58 [August 24, 2017] + * Last changed in libpng 1.2.59 [(PENDING RELEASE)] * Copyright (c) 1998-2002,2004,2006-2015,2017 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) @@ -2513,28 +2513,28 @@ void /* PRIVATE */ png_check_chunk_length(png_structp png_ptr, png_uint_32 length) { png_uint_32 limit = PNG_UINT_31_MAX; - - /* if (png_ptr->chunk_name != "IDAT") */ - if (png_ptr->chunk_name[0] != 73 || png_ptr->chunk_name[1] !=68 || - png_ptr->chunk_name[2] != 65 || png_ptr->chunk_name[3] !=84) - { # if PNG_USER_CHUNK_MALLOC_MAX > 0 if (PNG_USER_CHUNK_MALLOC_MAX < limit) limit = PNG_USER_CHUNK_MALLOC_MAX; # endif - } - else + /* if (png_ptr->chunk_name == png_IDAT) */ + if (png_ptr->chunk_name[0] != 73 || png_ptr->chunk_name[1] !=68 || + png_ptr->chunk_name[2] != 65 || png_ptr->chunk_name[3] !=84) { + png_uint_32 idat_limit = PNG_UINT_31_MAX; size_t row_factor = (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1) + 1 + (png_ptr->interlaced? 6: 0)); if (png_ptr->height > PNG_UINT_32_MAX/row_factor) - limit=PNG_UINT_31_MAX; + idat_limit=PNG_UINT_31_MAX; else - limit = png_ptr->height * row_factor; - limit += 6 + 5*(limit/32566+1); /* zlib+deflate overhead */ - limit=limit < PNG_UINT_31_MAX? limit : PNG_UINT_31_MAX; + idat_limit = png_ptr->height * row_factor; + row_factor = row_factor > 32566? 32566 : row_factor; + idat_limit += 6 + 5*(idat_limit/row_factor+1); /* zlib+deflate overhead */ + idat_limit=idat_limit < PNG_UINT_31_MAX? idat_limit : PNG_UINT_31_MAX; + limit = limit < idat_limit? idat_limit : limit; } + if (length > limit) { png_debug2(0," length = %lu, limit = %lu", @@ -2543,7 +2543,6 @@ png_check_chunk_length(png_structp png_ptr, png_uint_32 length) } } - /* Combines the row recently read in with the existing pixels in the row. This routine takes care of alpha and transparency if requested. This routine also handles the two methods of progressive display