summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGlenn Randers-Pehrson <glennrp at users.sourceforge.net>2017-08-06 14:13:18 -0500
committerGlenn Randers-Pehrson <glennrp at users.sourceforge.net>2017-08-06 14:13:18 -0500
commitbdca749e351183b04f7edae84ff1a01245ddcdd7 (patch)
treec0eb904cd3478d196d19ceb939c60e77abb36552
parent19855cd8b170ebbd577ac029028b90198a2f0a10 (diff)
downloadlibpng-bdca749e351183b04f7edae84ff1a01245ddcdd7.tar.gz
[libpng17] Added private png_check_chunk_name() and png_check_chunk_length()
functions.
Diffstat
-rw-r--r--ANNOUNCE6
-rw-r--r--CHANGES5
-rw-r--r--pngpread.c2
-rw-r--r--pngpriv.h6
-rw-r--r--pngrutil.c56
5 files changed, 64 insertions, 11 deletions
diff --git a/ANNOUNCE b/ANNOUNCE
index 4bd99f5dc..1b8bc1915 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,5 +1,5 @@
-Libpng 1.7.0beta88 - April 1, 2017
+Libpng 1.7.0beta88 - August 6, 2017
This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version.
@@ -1431,7 +1431,9 @@ Version 1.7.0beta87 [April 1, 2017]
makefile.linux and makefile.solaris-x86 (Cosmin).
Merged some recent changes from libpng-1.6.30beta01.
-Version 1.7.0beta88 [April 1, 2017]
+Version 1.7.0beta88 [August 6, 2017]
+ Added private png_check_chunk_name() and png_check_chunk_length()
+ functions.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
diff --git a/CHANGES b/CHANGES
index 0d196c773..4538d0073 100644
--- a/CHANGES
+++ b/CHANGES
@@ -5731,7 +5731,10 @@ Version 1.7.0beta87 [April 1, 2017]
makefile.linux and makefile.solaris-x86 (Cosmin).
Merged some recent changes from libpng-1.6.30beta01.
-Version 1.7.0beta88 [April 1, 2017]
+Version 1.7.0beta88 [August 6, 2017]
+ Initialized btoa[] in pngstest.c
+ Added private png_check_chunk_name() and png_check_chunk_length()
+ functions.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
diff --git a/pngpread.c b/pngpread.c
index 3d25a4328..c7e5425aa 100644
--- a/pngpread.c
+++ b/pngpread.c
@@ -743,6 +743,8 @@ png_push_read_chunk_header(png_structrp png_ptr, png_infop info_ptr)
png_ptr->chunk_length = png_get_uint_31(png_ptr, chunk_header);
png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_header+4);
png_reset_crc(png_ptr, chunk_header+4);
+ png_check_chunk_name(png_ptr, png_ptr->chunk_name);
+ png_check_chunk_length(png_ptr, png_ptr->chunk_length);
mode = png_ptr->mode;
png_ptr->process_mode = png_check_bits(png_ptr,
png_read_chunk+png_find_chunk_op(png_ptr), 4);
diff --git a/pngpriv.h b/pngpriv.h
index c0f29512c..a322fae02 100644
--- a/pngpriv.h
+++ b/pngpriv.h
@@ -1737,6 +1737,12 @@ PNG_INTERNAL_FUNCTION(png_chunk_op,png_find_chunk_op,(png_structrp png_ptr),
* read state.
*/
+PNG_INTERNAL_FUNCTION(void,png_check_chunk_name,(png_const_structrp png_ptr,
+ const png_uint_32 chunk_name),PNG_EMPTY);
+
+PNG_INTERNAL_FUNCTION(void,png_check_chunk_length,(png_const_structrp png_ptr,
+ const png_uint_32 chunk_length),PNG_EMPTY);
+
#ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
PNG_INTERNAL_FUNCTION(void,png_handle_unknown,(png_structrp png_ptr,
png_inforp info_ptr, png_bytep chunk_data),PNG_EMPTY);
diff --git a/pngrutil.c b/pngrutil.c
index 2da883eb0..0d41e715d 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -2,7 +2,7 @@
/* pngrutil.c - utilities to read a PNG file
*
* Last changed in libpng 1.7.0 [(PENDING RELEASE)]
- * Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson
+ * Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
*
@@ -2198,6 +2198,9 @@ png_handle_zTXt(png_structrp png_ptr, png_inforp info_ptr)
}
#endif /* USER_LIMITS */
+ /* Note, "length" is sufficient here; we won't be adding
+ * a null terminator later.
+ */
buffer = png_read_buffer(png_ptr, length, 2/*silent*/);
if (buffer == NULL)
@@ -2623,24 +2626,61 @@ png_handle_unknown(png_structrp png_ptr, png_inforp info_ptr,
* ((c) < 65 || (c) > 122 || ((c) > 90 && (c) < 97))
*/
-static void
-png_check_chunk_name(png_structrp png_ptr, png_uint_32 chunk_name)
+void /* PRIVATE */
+png_check_chunk_name(png_const_structrp png_ptr, const png_uint_32 chunk_name)
{
int i;
+ png_uint_32 cn=chunk_name;
png_debug(1, "in png_check_chunk_name");
for (i=1; i<=4; ++i)
{
- int c = chunk_name & 0xff;
+ int c = cn & 0xff;
- /* This is unrecoverable at present because it most likely indicates
- * a broken stream.
- */
if (c < 65 || c > 122 || (c > 90 && c < 97))
png_chunk_error(png_ptr, "invalid chunk type");
- chunk_name >>= 8;
+ cn >>= 8;
+ }
+}
+void /* PRIVATE */
+png_check_chunk_length(png_const_structrp png_ptr, const png_uint_32 length)
+{
+ png_alloc_size_t limit = PNG_UINT_31_MAX;
+
+ if (png_ptr->chunk_name != png_IDAT)
+ {
+# ifdef PNG_SET_USER_LIMITS_SUPPORTED
+ if (png_ptr->user_chunk_malloc_max > 0 &&
+ png_ptr->user_chunk_malloc_max < limit)
+ limit = png_ptr->user_chunk_malloc_max;
+# elif PNG_USER_CHUNK_MALLOC_MAX > 0
+ if (PNG_USER_CHUNK_MALLOC_MAX < limit)
+ limit = PNG_USER_CHUNK_MALLOC_MAX;
+# endif
+ }
+ else
+ {
+ /* color_type 0 x 2 3 4 x 6 */
+ int channels[]={1,0,3,1,2,0,4};
+ size_t row_factor =
+ (png_ptr->width * channels[png_ptr->color_type] *
+ (png_ptr->bit_depth > 8? 2: 1)
+ + 1 + (png_ptr->interlaced? 6: 0));
+ if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
+ limit=PNG_UINT_31_MAX;
+ else
+ limit = png_ptr->height * row_factor;
+ limit += 6 + 5*(limit/32566+1); /* zlib+deflate overhead */
+ limit=limit < PNG_UINT_31_MAX? limit : PNG_UINT_31_MAX;
+ }
+
+ if (length > limit)
+ {
+ png_debug2(0," length = %lu, limit = %lu",
+ (unsigned long)length,(unsigned long)limit);
+ png_chunk_error(png_ptr, "chunk data is too large");
}
}
View Lorry Controller Status