[libpng17] Use a more generous size limit for IDAT chunks.libpng17

author: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> 2017-09-03 09:20:23 -0500
committer: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> 2017-09-03 09:20:23 -0500
commit: 69ddffdf2c693643533099be0f8a92e9a6080dbd (patch)
tree: b74e4886fb692ac140959f74016dd01583a3b155
parent: 3e2769b9d7d4431476faa59b04ddc0473c47c26d (diff)
download: libpng17.tar.gz
3 files changed, 22 insertions, 18 deletions
diff --git a/ANNOUNCE b/ANNOUNCE
index b10473503..2b98877b7 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,5 +1,5 @@
 
-Libpng 1.7.0beta90 - August 28, 2017
+Libpng 1.7.0beta90 - September 3, 2017
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -1433,15 +1433,17 @@ Version 1.7.0beta87 [April 1, 2017]
 
 Version 1.7.0beta88 [August 7. 2017]
   Added private png_check_chunk_name() and png_check_chunk_length()
-    functions.
+    functions (Fixes CVE-2017-12652).
 
 Version 1.7.0beta89 [August 19, 2017]
   Check for 0 return from png_get_rowbytes() in contrib/pngminus/*.c to stop
     some Coverity issues (162705, 162706, and 162707).
 
-Version 1.7.0beta90 [August 28, 2017]
+Version 1.7.0beta90 [September 3, 2017]
   Added PNGMINUS_UNUSED macro to contrib/pngminus/p*.c and added missing
     parenthesis in contrib/pngminus/pnm2png.c (bug report by Christian Hesse).
+  Compute a larger limit on IDAT because some applications write a deflate
+    buffer for each row (Bug report by Andrew Church).
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/CHANGES b/CHANGES
index 04ca10fc0..957fe355c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -5734,15 +5734,17 @@ Version 1.7.0beta87 [April 1, 2017]
 Version 1.7.0beta88 [August 7, 2017]
   Initialized btoa[] in pngstest.c
   Added private png_check_chunk_name() and png_check_chunk_length()
-    functions.
+    functions (Fixes CVE-2017-12652).
 
 Version 1.7.0beta89 [August 19, 2017]
   Check for 0 return from png_get_rowbytes() in contrib/pngminus/*.c to stop
     some Coverity issues (162705, 162706, and 162707).
 
-Version 1.7.0beta90 [August 28, 2017]
+Version 1.7.0beta90 [September 3, 2017]
   Added PNGMINUS_UNUSED macro to contrib/pngminus/p*.c and added missing
     parenthesis in contrib/pngminus/pnm2png.c (bug report by Christian Hesse).
+  Compute a larger limit on IDAT because some applications write a deflate
+    buffer for each row (Bug report by Andrew Church).
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/pngrutil.c b/pngrutil.c
index 0190793b7..c200acb58 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -2649,31 +2649,31 @@ png_check_chunk_length(png_const_structrp png_ptr, const png_uint_32 length)
 {
    png_alloc_size_t limit = PNG_UINT_31_MAX;
 
-   if (png_ptr->chunk_name != png_IDAT)
-   {
 # ifdef PNG_SET_USER_LIMITS_SUPPORTED
-      if (png_ptr->user_chunk_malloc_max > 0 &&
-          png_ptr->user_chunk_malloc_max < limit)
-         limit = png_ptr->user_chunk_malloc_max;
+   if (png_ptr->user_chunk_malloc_max > 0 &&
+       png_ptr->user_chunk_malloc_max < limit)
+      limit = png_ptr->user_chunk_malloc_max;
 # elif PNG_USER_CHUNK_MALLOC_MAX > 0
-      if (PNG_USER_CHUNK_MALLOC_MAX < limit)
-         limit = PNG_USER_CHUNK_MALLOC_MAX;
+   if (PNG_USER_CHUNK_MALLOC_MAX < limit)
+      limit = PNG_USER_CHUNK_MALLOC_MAX;
 # endif
-   }
-   else
+   if (png_ptr->chunk_name == png_IDAT)
    {
       /* color_type   0 x 2 3 4 x 6 */
       int channels[]={1,0,3,1,2,0,4};
+      png_alloc_size_t idat_limit = PNG_UINT_31_MAX;
       size_t row_factor =
          (png_ptr->width * channels[png_ptr->color_type] *
              (png_ptr->bit_depth > 8? 2: 1)
           + 1 + (png_ptr->interlaced? 6: 0));
       if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
-         limit=PNG_UINT_31_MAX;
+         idat_limit=PNG_UINT_31_MAX;
       else
-         limit = png_ptr->height * row_factor;
-      limit += 6 + 5*(limit/32566+1); /* zlib+deflate overhead */
-      limit=limit < PNG_UINT_31_MAX? limit : PNG_UINT_31_MAX;
+         idat_limit = png_ptr->height * row_factor;
+      row_factor = row_factor > 32566? 32566 : row_factor;
+      idat_limit += 6 + 5*(idat_limit/row_factor+1); /* zlib+deflate overhead */
+      idat_limit=idat_limit < PNG_UINT_31_MAX? idat_limit : PNG_UINT_31_MAX;
+      limit = limit < idat_limit? idat_limit : limit;
    }
 
    if (length > limit)
author	Glenn Randers-Pehrson <glennrp at users.sourceforge.net>	2017-09-03 09:20:23 -0500
committer	Glenn Randers-Pehrson <glennrp at users.sourceforge.net>	2017-09-03 09:20:23 -0500
commit	69ddffdf2c693643533099be0f8a92e9a6080dbd (patch)
tree	b74e4886fb692ac140959f74016dd01583a3b155
parent	3e2769b9d7d4431476faa59b04ddc0473c47c26d (diff)
download	libpng17.tar.gz