diff options
| author | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2017-09-03 09:06:48 -0500 |
|---|---|---|
| committer | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2017-09-03 09:06:48 -0500 |
| commit | 9a414e2c8f0466e20d1f3bd6c9cc30ebeced9a70 (patch) | |
| tree | 8ccece1bf83a4099e92352696ba7298bb38f1d82 | |
| parent | 99a7952dab058f4d3e662494f2a956560c86e989 (diff) | |
| download | libpng-9a414e2c8f0466e20d1f3bd6c9cc30ebeced9a70.tar.gz | |
[libpng15] Revise pngrutil.c with a more generous size limit for IDAT chunks.
| -rw-r--r-- | CHANGES | 7 | ||||
| -rw-r--r-- | pngrutil.c | 28 |
2 files changed, 20 insertions, 15 deletions
@@ -4540,6 +4540,7 @@ version 1.5.29beta01 [April 1, 2017] Update Sourceforge URLs in documentation (https instead of http). version 1.5.29beta02 [August 9, 2017] + Added png_check_chunk_length() function (Fixes CVE-2017-12652). Moved chunk-name and chunk-length checks into PNG_EXTERN private png_check_chunk_name() and png_check_chunk_length() functions (Suggested by Max Stepin). @@ -4550,7 +4551,7 @@ version 1.5.29beta02 [August 9, 2017] version 1.5.29rc01 [August 19, 2017] No changes. -version 1.5.29 [August 28, 2017] +version 1.5.29 [September 3, 2017] No changes. Version 1.5.30beta01 [August 28, 2017] @@ -4559,6 +4560,10 @@ Version 1.5.30beta01 [August 28, 2017] Fixed off-by-one error in png_do_check_palette_indexes() (Bug report by Mick P., Source Forge Issue #269). +Version 1.5.30beta02 [September 3, 2017] + Compute a larger limit on IDAT because some applications write a deflate + buffer for each row (Bug report by Andrew Church). + Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement diff --git a/pngrutil.c b/pngrutil.c index 66e217856..2601b0060 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -1,7 +1,7 @@ /* pngrutil.c - utilities to read a PNG file * - * Last changed in libpng 1.5.29 [August 24, 2017] + * Last changed in libpng 1.5.30 [(PENDING RELEASE)] * Copyright (c) 1998-2002,2004,2006-2015,2017 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) @@ -2826,28 +2826,28 @@ png_check_chunk_length(png_structp png_ptr, png_uint_32 length) { png_uint_32 limit = PNG_UINT_31_MAX; - if (png_ptr->chunk_name != png_IDAT) - { # ifdef PNG_SET_USER_LIMITS_SUPPORTED - if (png_ptr->user_chunk_malloc_max > 0 && - png_ptr->user_chunk_malloc_max < limit) - limit = png_ptr->user_chunk_malloc_max; + if (png_ptr->user_chunk_malloc_max > 0 && + png_ptr->user_chunk_malloc_max < limit) + limit = png_ptr->user_chunk_malloc_max; # elif PNG_USER_CHUNK_MALLOC_MAX > 0 - if (PNG_USER_CHUNK_MALLOC_MAX < limit) - limit = PNG_USER_CHUNK_MALLOC_MAX; + if (PNG_USER_CHUNK_MALLOC_MAX < limit) + limit = PNG_USER_CHUNK_MALLOC_MAX; # endif - } - else + if (png_ptr->chunk_name == png_IDAT) { + png_alloc_size_t idat_limit = PNG_UINT_31_MAX; size_t row_factor = (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1) + 1 + (png_ptr->interlaced? 6: 0)); if (png_ptr->height > PNG_UINT_32_MAX/row_factor) - limit=PNG_UINT_31_MAX; + idat_limit=PNG_UINT_31_MAX; else - limit = png_ptr->height * row_factor; - limit += 6 + 5*(limit/32566+1); /* zlib+deflate overhead */ - limit=limit < PNG_UINT_31_MAX? limit : PNG_UINT_31_MAX; + idat_limit = png_ptr->height * row_factor; + row_factor = row_factor > 32566? 32566 : row_factor; + idat_limit += 6 + 5*(idat_limit/row_factor+1); /* zlib+deflate overhead */ + idat_limit=idat_limit < PNG_UINT_31_MAX? idat_limit : PNG_UINT_31_MAX; + limit = limit < idat_limit? idat_limit : limit; } if (length > limit) |