diff options
author | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2017-09-03 09:20:23 -0500 |
---|---|---|
committer | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2017-09-03 09:20:23 -0500 |
commit | 69ddffdf2c693643533099be0f8a92e9a6080dbd (patch) | |
tree | b74e4886fb692ac140959f74016dd01583a3b155 | |
parent | 3e2769b9d7d4431476faa59b04ddc0473c47c26d (diff) | |
download | libpng17.tar.gz |
[libpng17] Use a more generous size limit for IDAT chunks.libpng17
-rw-r--r-- | ANNOUNCE | 8 | ||||
-rw-r--r-- | CHANGES | 6 | ||||
-rw-r--r-- | pngrutil.c | 26 |
3 files changed, 22 insertions, 18 deletions
@@ -1,5 +1,5 @@ -Libpng 1.7.0beta90 - August 28, 2017 +Libpng 1.7.0beta90 - September 3, 2017 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -1433,15 +1433,17 @@ Version 1.7.0beta87 [April 1, 2017] Version 1.7.0beta88 [August 7. 2017] Added private png_check_chunk_name() and png_check_chunk_length() - functions. + functions (Fixes CVE-2017-12652). Version 1.7.0beta89 [August 19, 2017] Check for 0 return from png_get_rowbytes() in contrib/pngminus/*.c to stop some Coverity issues (162705, 162706, and 162707). -Version 1.7.0beta90 [August 28, 2017] +Version 1.7.0beta90 [September 3, 2017] Added PNGMINUS_UNUSED macro to contrib/pngminus/p*.c and added missing parenthesis in contrib/pngminus/pnm2png.c (bug report by Christian Hesse). + Compute a larger limit on IDAT because some applications write a deflate + buffer for each row (Bug report by Andrew Church). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit @@ -5734,15 +5734,17 @@ Version 1.7.0beta87 [April 1, 2017] Version 1.7.0beta88 [August 7, 2017] Initialized btoa[] in pngstest.c Added private png_check_chunk_name() and png_check_chunk_length() - functions. + functions (Fixes CVE-2017-12652). Version 1.7.0beta89 [August 19, 2017] Check for 0 return from png_get_rowbytes() in contrib/pngminus/*.c to stop some Coverity issues (162705, 162706, and 162707). -Version 1.7.0beta90 [August 28, 2017] +Version 1.7.0beta90 [September 3, 2017] Added PNGMINUS_UNUSED macro to contrib/pngminus/p*.c and added missing parenthesis in contrib/pngminus/pnm2png.c (bug report by Christian Hesse). + Compute a larger limit on IDAT because some applications write a deflate + buffer for each row (Bug report by Andrew Church). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/pngrutil.c b/pngrutil.c index 0190793b7..c200acb58 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -2649,31 +2649,31 @@ png_check_chunk_length(png_const_structrp png_ptr, const png_uint_32 length) { png_alloc_size_t limit = PNG_UINT_31_MAX; - if (png_ptr->chunk_name != png_IDAT) - { # ifdef PNG_SET_USER_LIMITS_SUPPORTED - if (png_ptr->user_chunk_malloc_max > 0 && - png_ptr->user_chunk_malloc_max < limit) - limit = png_ptr->user_chunk_malloc_max; + if (png_ptr->user_chunk_malloc_max > 0 && + png_ptr->user_chunk_malloc_max < limit) + limit = png_ptr->user_chunk_malloc_max; # elif PNG_USER_CHUNK_MALLOC_MAX > 0 - if (PNG_USER_CHUNK_MALLOC_MAX < limit) - limit = PNG_USER_CHUNK_MALLOC_MAX; + if (PNG_USER_CHUNK_MALLOC_MAX < limit) + limit = PNG_USER_CHUNK_MALLOC_MAX; # endif - } - else + if (png_ptr->chunk_name == png_IDAT) { /* color_type 0 x 2 3 4 x 6 */ int channels[]={1,0,3,1,2,0,4}; + png_alloc_size_t idat_limit = PNG_UINT_31_MAX; size_t row_factor = (png_ptr->width * channels[png_ptr->color_type] * (png_ptr->bit_depth > 8? 2: 1) + 1 + (png_ptr->interlaced? 6: 0)); if (png_ptr->height > PNG_UINT_32_MAX/row_factor) - limit=PNG_UINT_31_MAX; + idat_limit=PNG_UINT_31_MAX; else - limit = png_ptr->height * row_factor; - limit += 6 + 5*(limit/32566+1); /* zlib+deflate overhead */ - limit=limit < PNG_UINT_31_MAX? limit : PNG_UINT_31_MAX; + idat_limit = png_ptr->height * row_factor; + row_factor = row_factor > 32566? 32566 : row_factor; + idat_limit += 6 + 5*(idat_limit/row_factor+1); /* zlib+deflate overhead */ + idat_limit=idat_limit < PNG_UINT_31_MAX? idat_limit : PNG_UINT_31_MAX; + limit = limit < idat_limit? idat_limit : limit; } if (length > limit) |