diff options
author | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2017-08-06 14:13:18 -0500 |
---|---|---|
committer | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2017-08-06 14:13:18 -0500 |
commit | bdca749e351183b04f7edae84ff1a01245ddcdd7 (patch) | |
tree | c0eb904cd3478d196d19ceb939c60e77abb36552 | |
parent | 19855cd8b170ebbd577ac029028b90198a2f0a10 (diff) | |
download | libpng-bdca749e351183b04f7edae84ff1a01245ddcdd7.tar.gz |
[libpng17] Added private png_check_chunk_name() and png_check_chunk_length()
functions.
-rw-r--r-- | ANNOUNCE | 6 | ||||
-rw-r--r-- | CHANGES | 5 | ||||
-rw-r--r-- | pngpread.c | 2 | ||||
-rw-r--r-- | pngpriv.h | 6 | ||||
-rw-r--r-- | pngrutil.c | 56 |
5 files changed, 64 insertions, 11 deletions
@@ -1,5 +1,5 @@ -Libpng 1.7.0beta88 - April 1, 2017 +Libpng 1.7.0beta88 - August 6, 2017 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -1431,7 +1431,9 @@ Version 1.7.0beta87 [April 1, 2017] makefile.linux and makefile.solaris-x86 (Cosmin). Merged some recent changes from libpng-1.6.30beta01. -Version 1.7.0beta88 [April 1, 2017] +Version 1.7.0beta88 [August 6, 2017] + Added private png_check_chunk_name() and png_check_chunk_length() + functions. Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit @@ -5731,7 +5731,10 @@ Version 1.7.0beta87 [April 1, 2017] makefile.linux and makefile.solaris-x86 (Cosmin). Merged some recent changes from libpng-1.6.30beta01. -Version 1.7.0beta88 [April 1, 2017] +Version 1.7.0beta88 [August 6, 2017] + Initialized btoa[] in pngstest.c + Added private png_check_chunk_name() and png_check_chunk_length() + functions. Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/pngpread.c b/pngpread.c index 3d25a4328..c7e5425aa 100644 --- a/pngpread.c +++ b/pngpread.c @@ -743,6 +743,8 @@ png_push_read_chunk_header(png_structrp png_ptr, png_infop info_ptr) png_ptr->chunk_length = png_get_uint_31(png_ptr, chunk_header); png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_header+4); png_reset_crc(png_ptr, chunk_header+4); + png_check_chunk_name(png_ptr, png_ptr->chunk_name); + png_check_chunk_length(png_ptr, png_ptr->chunk_length); mode = png_ptr->mode; png_ptr->process_mode = png_check_bits(png_ptr, png_read_chunk+png_find_chunk_op(png_ptr), 4); @@ -1737,6 +1737,12 @@ PNG_INTERNAL_FUNCTION(png_chunk_op,png_find_chunk_op,(png_structrp png_ptr), * read state. */ +PNG_INTERNAL_FUNCTION(void,png_check_chunk_name,(png_const_structrp png_ptr, + const png_uint_32 chunk_name),PNG_EMPTY); + +PNG_INTERNAL_FUNCTION(void,png_check_chunk_length,(png_const_structrp png_ptr, + const png_uint_32 chunk_length),PNG_EMPTY); + #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED PNG_INTERNAL_FUNCTION(void,png_handle_unknown,(png_structrp png_ptr, png_inforp info_ptr, png_bytep chunk_data),PNG_EMPTY); diff --git a/pngrutil.c b/pngrutil.c index 2da883eb0..0d41e715d 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -2,7 +2,7 @@ /* pngrutil.c - utilities to read a PNG file * * Last changed in libpng 1.7.0 [(PENDING RELEASE)] - * Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson + * Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -2198,6 +2198,9 @@ png_handle_zTXt(png_structrp png_ptr, png_inforp info_ptr) } #endif /* USER_LIMITS */ + /* Note, "length" is sufficient here; we won't be adding + * a null terminator later. + */ buffer = png_read_buffer(png_ptr, length, 2/*silent*/); if (buffer == NULL) @@ -2623,24 +2626,61 @@ png_handle_unknown(png_structrp png_ptr, png_inforp info_ptr, * ((c) < 65 || (c) > 122 || ((c) > 90 && (c) < 97)) */ -static void -png_check_chunk_name(png_structrp png_ptr, png_uint_32 chunk_name) +void /* PRIVATE */ +png_check_chunk_name(png_const_structrp png_ptr, const png_uint_32 chunk_name) { int i; + png_uint_32 cn=chunk_name; png_debug(1, "in png_check_chunk_name"); for (i=1; i<=4; ++i) { - int c = chunk_name & 0xff; + int c = cn & 0xff; - /* This is unrecoverable at present because it most likely indicates - * a broken stream. - */ if (c < 65 || c > 122 || (c > 90 && c < 97)) png_chunk_error(png_ptr, "invalid chunk type"); - chunk_name >>= 8; + cn >>= 8; + } +} +void /* PRIVATE */ +png_check_chunk_length(png_const_structrp png_ptr, const png_uint_32 length) +{ + png_alloc_size_t limit = PNG_UINT_31_MAX; + + if (png_ptr->chunk_name != png_IDAT) + { +# ifdef PNG_SET_USER_LIMITS_SUPPORTED + if (png_ptr->user_chunk_malloc_max > 0 && + png_ptr->user_chunk_malloc_max < limit) + limit = png_ptr->user_chunk_malloc_max; +# elif PNG_USER_CHUNK_MALLOC_MAX > 0 + if (PNG_USER_CHUNK_MALLOC_MAX < limit) + limit = PNG_USER_CHUNK_MALLOC_MAX; +# endif + } + else + { + /* color_type 0 x 2 3 4 x 6 */ + int channels[]={1,0,3,1,2,0,4}; + size_t row_factor = + (png_ptr->width * channels[png_ptr->color_type] * + (png_ptr->bit_depth > 8? 2: 1) + + 1 + (png_ptr->interlaced? 6: 0)); + if (png_ptr->height > PNG_UINT_32_MAX/row_factor) + limit=PNG_UINT_31_MAX; + else + limit = png_ptr->height * row_factor; + limit += 6 + 5*(limit/32566+1); /* zlib+deflate overhead */ + limit=limit < PNG_UINT_31_MAX? limit : PNG_UINT_31_MAX; + } + + if (length > limit) + { + png_debug2(0," length = %lu, limit = %lu", + (unsigned long)length,(unsigned long)limit); + png_chunk_error(png_ptr, "chunk data is too large"); } } |