[libpng12] Use a more generous size limit for IDAT chunks

author: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> 2017-09-03 09:24:10 -0500
committer: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> 2017-09-03 09:24:10 -0500
commit: d9b0182e50e5c6315f1bb05bca934f34224caebb (patch)
tree: 7cb08a5b29ad4cb051552f0bbe45bb56a47d6632
parent: cdde2d6295c3f47637d82e5fb5fa8b922fd8f13f (diff)
download: libpng-d9b0182e50e5c6315f1bb05bca934f34224caebb.tar.gz
3 files changed, 37 insertions, 30 deletions
diff --git a/ANNOUNCE b/ANNOUNCE
index 8b86f90a2..88f49ce5e 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,5 +1,5 @@
 
-Libpng 1.2.59beta01 - August 28, 2017
+Libpng 1.2.59beta02 - September 3, 2017
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -9,34 +9,34 @@ Files available for download:
 Source files with LF line endings (for Unix/Linux) and with a
 "configure" script
 
-   libpng-1.2.59beta01.tar.xz (LZMA-compressed, recommended)
-   libpng-1.2.59beta01.tar.gz
+   libpng-1.2.59beta02.tar.xz (LZMA-compressed, recommended)
+   libpng-1.2.59beta02.tar.gz
 
 Source files with LF line endings (for Unix/Linux) without the
 "configure" script
 
-   libpng-1.2.59beta01-no-config.tar.xz (LZMA-compressed, recommended)
-   libpng-1.2.59beta01-no-config.tar.gz
+   libpng-1.2.59beta02-no-config.tar.xz (LZMA-compressed, recommended)
+   libpng-1.2.59beta02-no-config.tar.gz
 
 Source files with CRLF line endings (for Windows), without the
 "configure" script
 
-   lp1259b01.zip
-   lp1259b01.7z
+   lp1259b02.zip
+   lp1259b02.7z
 
 Project files
 
-   libpng-1.2.59beta01-project-netware.zip
-   libpng-1.2.59beta01-project-wince.zip
+   libpng-1.2.59beta02-project-netware.zip
+   libpng-1.2.59beta02-project-wince.zip
 
 Other information:
 
-   libpng-1.2.59beta01-README.txt
-   libpng-1.2.59beta01-KNOWNBUGS.txt
-   libpng-1.2.59beta01-LICENSE.txt
-   libpng-1.2.59beta01-Y2K-compliance.txt
-   libpng-1.2.59beta01-[previous version]-diff.txt
-   libpng-1.2.59beta01-*.asc (armored detached GPG signatures)
+   libpng-1.2.59beta02-README.txt
+   libpng-1.2.59beta02-KNOWNBUGS.txt
+   libpng-1.2.59beta02-LICENSE.txt
+   libpng-1.2.59beta02-Y2K-compliance.txt
+   libpng-1.2.59beta02-[previous version]-diff.txt
+   libpng-1.2.59beta02-*.asc (armored detached GPG signatures)
 
 Changes since the last public release (1.2.58):
 
@@ -44,6 +44,10 @@ Version 1.2.59beta01 [August 28, 2017]
   Added PNGMINUS_UNUSED macro to contrib/pngminus/p*.c and added missing
     parenthesis in contrib/pngminus/pnm2png.c (bug report by Christian Hesse).
 
+Version 1.2.59beta02 [September 3, 2017]
+  Compute a larger limit on IDAT because some applications write a deflate
+    buffer for each row (Bug report by Andrew Church).
+
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement
diff --git a/CHANGES b/CHANGES
index 266a560f2..4186bf175 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2932,20 +2932,24 @@ version 1.0.67 and 1.2.57 [December 29, 2016]
 version 1.2.58beta01 [August 11, 2017]
   Added png_check_chunk_length() function, and check all chunks except
     IDAT against the default 8MB limit; check IDAT against the maximum
-    size computed from IHDR parameters.
+    size computed from IHDR parameters (Fixes CVE-2017-12652).
 
 version 1.2.58rc01 [August 19, 2017]
   Check for 0 return from png_get_rowbytes() and added some (size_t) typecasts
     in contrib/pngminus/*.c to stop some Coverity issues (162705, 162706,
     and 162707).
 
-version 1.0.68 and 1.2.58 [August 28, 2017]
+version 1.0.68 and 1.2.58 [September 3, 2017]
   No changes.
 
 Version 1.2.59beta01 [August 28, 2017]
   Added PNGMINUS_UNUSED macro to contrib/pngminus/p*.c and added missing
     parenthesis in contrib/pngminus/pnm2png.c (bug report by Christian Hesse).
 
+Version 1.2.59beta02 [September 3, 2017]
+  Compute a larger limit on IDAT because some applications write a deflate
+    buffer for each row (Bug report by Andrew Church).
+
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement
diff --git a/pngrutil.c b/pngrutil.c
index ca15ccf22..2b62f24df 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -1,7 +1,7 @@
 
 /* pngrutil.c - utilities to read a PNG file
  *
- * Last changed in libpng 1.2.58 [August 24, 2017]
+ * Last changed in libpng 1.2.59 [(PENDING RELEASE)]
  * Copyright (c) 1998-2002,2004,2006-2015,2017 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -2513,28 +2513,28 @@ void /* PRIVATE */
 png_check_chunk_length(png_structp png_ptr, png_uint_32 length)
 {
    png_uint_32 limit = PNG_UINT_31_MAX;
-
-   /* if (png_ptr->chunk_name != "IDAT") */
-   if (png_ptr->chunk_name[0] != 73 || png_ptr->chunk_name[1] !=68 ||
-       png_ptr->chunk_name[2] != 65 || png_ptr->chunk_name[3] !=84)
-   {
 # if PNG_USER_CHUNK_MALLOC_MAX > 0
       if (PNG_USER_CHUNK_MALLOC_MAX < limit)
          limit = PNG_USER_CHUNK_MALLOC_MAX;
 # endif
-   }
-   else
+   /* if (png_ptr->chunk_name == png_IDAT) */
+   if (png_ptr->chunk_name[0] != 73 || png_ptr->chunk_name[1] !=68 ||
+       png_ptr->chunk_name[2] != 65 || png_ptr->chunk_name[3] !=84)
    {
+      png_uint_32 idat_limit = PNG_UINT_31_MAX;
       size_t row_factor =
          (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
           + 1 + (png_ptr->interlaced? 6: 0));
       if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
-         limit=PNG_UINT_31_MAX;
+         idat_limit=PNG_UINT_31_MAX;
       else
-         limit = png_ptr->height * row_factor;
-      limit += 6 + 5*(limit/32566+1); /* zlib+deflate overhead */
-      limit=limit < PNG_UINT_31_MAX? limit : PNG_UINT_31_MAX;
+         idat_limit = png_ptr->height * row_factor;
+      row_factor = row_factor > 32566? 32566 : row_factor;
+      idat_limit += 6 + 5*(idat_limit/row_factor+1); /* zlib+deflate overhead */
+      idat_limit=idat_limit < PNG_UINT_31_MAX? idat_limit : PNG_UINT_31_MAX;
+      limit = limit < idat_limit? idat_limit : limit;
    }
+
    if (length > limit)
    {
       png_debug2(0," length = %lu, limit = %lu",
@@ -2543,7 +2543,6 @@ png_check_chunk_length(png_structp png_ptr, png_uint_32 length)
    }
 }
 
-
 /* Combines the row recently read in with the existing pixels in the
    row.  This routine takes care of alpha and transparency if requested.
    This routine also handles the two methods of progressive display
author	Glenn Randers-Pehrson <glennrp at users.sourceforge.net>	2017-09-03 09:24:10 -0500
committer	Glenn Randers-Pehrson <glennrp at users.sourceforge.net>	2017-09-03 09:24:10 -0500
commit	d9b0182e50e5c6315f1bb05bca934f34224caebb (patch)
tree	7cb08a5b29ad4cb051552f0bbe45bb56a47d6632
parent	cdde2d6295c3f47637d82e5fb5fa8b922fd8f13f (diff)
download	libpng-d9b0182e50e5c6315f1bb05bca934f34224caebb.tar.gz