diff options
Diffstat (limited to 'pngrutil.c')
| -rw-r--r-- | pngrutil.c | 42 |
1 files changed, 40 insertions, 2 deletions
diff --git a/pngrutil.c b/pngrutil.c index 36ba4efb7..ca15ccf22 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -1,8 +1,8 @@ /* pngrutil.c - utilities to read a PNG file * - * Last changed in libpng 1.2.55 [December 6, 2015] - * Copyright (c) 1998-2002,2004,2006-2015 Glenn Randers-Pehrson + * Last changed in libpng 1.2.58 [August 24, 2017] + * Copyright (c) 1998-2002,2004,2006-2015,2017 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -131,6 +131,9 @@ png_read_chunk_header(png_structp png_ptr) /* Check to see if chunk name is valid */ png_check_chunk_name(png_ptr, png_ptr->chunk_name); + /* Check for too-large chunk length */ + png_check_chunk_length(png_ptr, length); + return length; } @@ -2506,6 +2509,41 @@ png_check_chunk_name(png_structp png_ptr, png_bytep chunk_name) } } +void /* PRIVATE */ +png_check_chunk_length(png_structp png_ptr, png_uint_32 length) +{ + png_uint_32 limit = PNG_UINT_31_MAX; + + /* if (png_ptr->chunk_name != "IDAT") */ + if (png_ptr->chunk_name[0] != 73 || png_ptr->chunk_name[1] !=68 || + png_ptr->chunk_name[2] != 65 || png_ptr->chunk_name[3] !=84) + { +# if PNG_USER_CHUNK_MALLOC_MAX > 0 + if (PNG_USER_CHUNK_MALLOC_MAX < limit) + limit = PNG_USER_CHUNK_MALLOC_MAX; +# endif + } + else + { + size_t row_factor = + (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1) + + 1 + (png_ptr->interlaced? 6: 0)); + if (png_ptr->height > PNG_UINT_32_MAX/row_factor) + limit=PNG_UINT_31_MAX; + else + limit = png_ptr->height * row_factor; + limit += 6 + 5*(limit/32566+1); /* zlib+deflate overhead */ + limit=limit < PNG_UINT_31_MAX? limit : PNG_UINT_31_MAX; + } + if (length > limit) + { + png_debug2(0," length = %lu, limit = %lu", + (unsigned long)length,(unsigned long)limit); + png_chunk_error(png_ptr, "chunk data is too large"); + } +} + + /* Combines the row recently read in with the existing pixels in the row. This routine takes care of alpha and transparency if requested. This routine also handles the two methods of progressive display |