[libpng12] Added png_check_chunk_length() function.

author: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> 2017-08-07 05:51:12 -0500
committer: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> 2017-08-07 05:51:12 -0500
commit: 4d4f4721088414b72233aaf1ab19941666cdc76d (patch)
tree: 46fefb2c84a9c46db90eb92699741a31902b3e93
parent: 96091fe7ceb0f7bd783a3fa4e3d94d8b44537fb2 (diff)
download: libpng-4d4f4721088414b72233aaf1ab19941666cdc76d.tar.gz
5 files changed, 55 insertions, 11 deletions
diff --git a/ANNOUNCE b/ANNOUNCE
index 12965e4a9..ceff23dd5 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,5 +1,5 @@
 
-Libpng 1.2.58beta01 - December 30, 2016
+Libpng 1.2.58beta01 - August 7, 2017
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -40,7 +40,8 @@ Other information:
 
 Changes since the last public release (1.2.57):
 
-version 1.2.58beta01 [December 30, 2016]
+version 1.2.58beta01 [August 7, 2017]
+   Added png_check_chunk_length() function.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/CHANGES b/CHANGES
index 1b52aef95..a1a45f3ce 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2927,9 +2927,10 @@ version 1.2.57rc01 [December 27, 2016]
 
 version 1.0.67 and 1.2.57 [December 29, 2016]
   Fixed a potential null pointer dereference in png_set_text_2() (bug report
-    and patch by Patrick Keshishian).
+    and patch by Patrick Keshishian, CVE-2016-10087).
 
-version 1.2.58beta01 [December 30, 2016]
+version 1.2.58beta01 [August 7, 2017]
+   Added png_check_chunk_length() function.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/png.h b/png.h
index b2461323a..09a4ad7e1 100644
--- a/png.h
+++ b/png.h
@@ -1,7 +1,7 @@
 
 /* png.h - header file for PNG reference library
  *
- * libpng version 1.2.58beta01, December 30, 2016
+ * libpng version 1.2.58beta01, August 7, 2017
  *
  * Copyright (c) 1998-2017 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
@@ -12,7 +12,7 @@
  * Authors and maintainers:
  *  libpng versions 0.71, May 1995, through 0.88, January 1996: Guy Schalnat
  *  libpng versions 0.89, June 1996, through 0.96, May 1997: Andreas Dilger
- *  libpng versions 0.97, January 1998, through 1.2.58beta01, December 30, 2016: Glenn
+ *  libpng versions 0.97, January 1998, through 1.2.58beta01, August 7, 2017: Glenn
  *  See also "Contributing Authors", below.
  */
 
@@ -24,7 +24,7 @@
  *
  * This code is released under the libpng license.
  *
- * libpng versions 1.0.7, July 1, 2000, through 1.2.58beta01, December 30, 2016, are
+ * libpng versions 1.0.7, July 1, 2000, through 1.2.58beta01, August 7, 2017, are
  * Copyright (c) 2000-2002, 2004, 2006-2017 Glenn Randers-Pehrson, are
  * derived from libpng-1.0.6, and are distributed according to the same
  * disclaimer and license as libpng-1.0.6 with the following individuals
@@ -179,8 +179,8 @@
  *    ...
  *    1.0.19                  10    10019  10.so.0.19[.0]
  *    ...
- *    1.0.67                  10    10067  10.so.0.67[.0]
- *    1.2.57                  13    10257  12.so.0.57[.0]
+ *    1.0.68                  10    10068  10.so.0.68[.0]
+ *    1.2.58                  13    10258  12.so.0.58[.0]
  *
  *    Henceforth the source version will match the shared-library major
  *    and minor numbers; the shared-library major version number will be
@@ -208,7 +208,7 @@
  * Y2K compliance in libpng:
  * =========================
  *
- *    December 30, 2016
+ *    August 7, 2017
  *
  *    Since the PNG Development group is an ad-hoc body, we can't make
  *    an official declaration.
@@ -272,7 +272,7 @@
 /* Version information for png.h - this should match the version in png.c */
 #define PNG_LIBPNG_VER_STRING "1.2.58beta01"
 #define PNG_HEADER_VERSION_STRING \
-   " libpng version 1.2.58beta01 - December 30, 2016\n"
+   " libpng version 1.2.58beta01 - August 7, 2017\n"
 
 #define PNG_LIBPNG_VER_SONUM   0
 #define PNG_LIBPNG_VER_DLLNUM  13
@@ -3409,6 +3409,9 @@ PNG_EXTERN void png_handle_unknown PNGARG((png_structp png_ptr,
 PNG_EXTERN void png_check_chunk_name PNGARG((png_structp png_ptr,
    png_bytep chunk_name)) PNG_PRIVATE;
 
+PNG_EXTERN void png_check_chunk_length PNGARG((png_structp png_ptr,
+   png_uint_32 chunk_length)) PNG_PRIVATE;
+
 /* Handle the transformations for reading and writing */
 PNG_EXTERN void png_do_read_transformations
    PNGARG((png_structp png_ptr)) PNG_PRIVATE;
diff --git a/pngpread.c b/pngpread.c
index ec2aa7d4b..319a3140d 100644
--- a/pngpread.c
+++ b/pngpread.c
@@ -205,6 +205,7 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr)
       png_reset_crc(png_ptr);
       png_crc_read(png_ptr, png_ptr->chunk_name, 4);
       png_check_chunk_name(png_ptr, png_ptr->chunk_name);
+      png_check_chunk_length(png_ptr, png_ptr->push_length);
       png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
    }
 
diff --git a/pngrutil.c b/pngrutil.c
index 36ba4efb7..9011f7063 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -131,6 +131,9 @@ png_read_chunk_header(png_structp png_ptr)
    /* Check to see if chunk name is valid */
    png_check_chunk_name(png_ptr, png_ptr->chunk_name);
 
+   /* Check for too-large chunk length */
+   png_check_chunk_length(png_ptr, length);
+
    return length;
 }
 
@@ -2506,6 +2509,41 @@ png_check_chunk_name(png_structp png_ptr, png_bytep chunk_name)
    }
 }
 
+void /* PRIVATE */
+png_check_chunk_length(png_structp png_ptr, png_uint_32 length)
+{
+   png_uint_32 limit = PNG_UINT_31_MAX;
+
+   /* if (png_ptr->chunk_name != "IDAT") */
+   if (png_ptr->chunk_name[0] != 73 || png_ptr->chunk_name[1] !=68 ||
+       png_ptr->chunk_name[2] != 65 || png_ptr->chunk_name[3] !=84)
+   {
+# if PNG_USER_CHUNK_MALLOC_MAX > 0
+      if (PNG_USER_CHUNK_MALLOC_MAX < limit)
+         limit = PNG_USER_CHUNK_MALLOC_MAX;
+# endif
+   }
+   else
+   {
+      size_t row_factor =
+         (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
+          + 1 + (png_ptr->interlaced? 6: 0));
+      if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
+         limit=PNG_UINT_31_MAX;
+      else
+         limit = png_ptr->height * row_factor;
+      limit += 6 + 5*(limit/32566+1); /* zlib+deflate overhead */
+      limit=limit < PNG_UINT_31_MAX? limit : PNG_UINT_31_MAX;
+   }
+   if (length > limit)
+   {
+      png_debug2(0," length = %lu, limit = %lu",
+         (unsigned long)length,(unsigned long)limit);
+      png_chunk_error(png_ptr, "chunk data is too large");
+   }
+}
+
+
 /* Combines the row recently read in with the existing pixels in the
    row.  This routine takes care of alpha and transparency if requested.
    This routine also handles the two methods of progressive display
author	Glenn Randers-Pehrson <glennrp at users.sourceforge.net>	2017-08-07 05:51:12 -0500
committer	Glenn Randers-Pehrson <glennrp at users.sourceforge.net>	2017-08-07 05:51:12 -0500
commit	4d4f4721088414b72233aaf1ab19941666cdc76d (patch)
tree	46fefb2c84a9c46db90eb92699741a31902b3e93
parent	96091fe7ceb0f7bd783a3fa4e3d94d8b44537fb2 (diff)
download	libpng-4d4f4721088414b72233aaf1ab19941666cdc76d.tar.gz