cheng/libpng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[libpng16] Relocate the iCCP length test to a point after reading the keyword

Browse Source
This commit is contained in:
Glenn Randers-Pehrson 2017-08-06 08:25:56 -05:00
parent 8ed418b042
commit 099558d100
3 changed files with 17 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ANNOUNCE
View File

@ -90,7 +90,8 @@ Version 1.6.32beta11 [August 6, 2017]
Initialize png_ptr->row_buf[0] to 255 in png_read_row() to fix OSS-fuzz UMR. Initialize png_ptr->row_buf[0] to 255 in png_read_row() to fix OSS-fuzz UMR.
Attempt to fix a UMR in png_set_text_2() to fix OSS-fuzz issue. Attempt to fix a UMR in png_set_text_2() to fix OSS-fuzz issue.
Increase minimum zlib stream from 9 to 14 in png_handle_iCCP(), to account Increase minimum zlib stream from 9 to 14 in png_handle_iCCP(), to account
for the minimum 'deflate' stream. for the minimum 'deflate' stream, and relocate the test to a point
after the keyword has been read.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

3
CHANGES
View File

@ -5973,7 +5973,8 @@ Version 1.6.32beta11 [August 6, 2017]
Initialize png_ptr->row_buf[0] to 255 in png_read_row() to fix OSS-fuzz UMR. Initialize png_ptr->row_buf[0] to 255 in png_read_row() to fix OSS-fuzz UMR.
Attempt to fix a UMR in png_set_text_2() to fix OSS-fuzz issue. Attempt to fix a UMR in png_set_text_2() to fix OSS-fuzz issue.
Increase minimum zlib stream from 9 to 14 in png_handle_iCCP(), to account Increase minimum zlib stream from 9 to 14 in png_handle_iCCP(), to account
for the minimum 'deflate' stream. for the minimum 'deflate' stream, and relocate the test to a point
after the keyword has been read.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

23
pngrutil.c
View File

@ -1380,17 +1380,7 @@ png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
* chunk is just ignored, so does not invalidate the color space. An * chunk is just ignored, so does not invalidate the color space. An
* alternative is to set the 'invalid' flags at the start of this routine * alternative is to set the 'invalid' flags at the start of this routine
* and only clear them in they were not set before and all the tests pass. * and only clear them in they were not set before and all the tests pass.
* The minimum 'zlib' stream is assumed to be just the 2 byte header,
* 5 bytes minimum 'deflate' stream, and the 4 byte checksum. The keyword
* must be at least one character and there is a terminator (0) byte and
* the compression method.
*/ */
if (length < 14)
{
png_crc_finish(png_ptr, length);
png_chunk_benign_error(png_ptr, "too short");
return;
}
/* If a colorspace error has already been output skip this chunk */ /* If a colorspace error has already been output skip this chunk */
if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0) if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
@ -1417,6 +1407,19 @@ png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
png_crc_read(png_ptr, (png_bytep)keyword, read_length); png_crc_read(png_ptr, (png_bytep)keyword, read_length);
length -= read_length; length -= read_length;
/* The minimum 'zlib' stream is assumed to be just the 2 byte header,
* 5 bytes minimum 'deflate' stream, and the 4 byte checksum. The keyword
* must be at least one character and there is a terminator (0) byte and
* the compression method.
*/
if (length < 14)
{
png_crc_finish(png_ptr, length);
png_chunk_benign_error(png_ptr, "too short");
return;
}
keyword_length = 0; keyword_length = 0;
while (keyword_length < 80 && keyword_length < read_length && while (keyword_length < 80 && keyword_length < read_length &&
keyword[keyword_length] != 0) keyword[keyword_length] != 0)