cheng/libpng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[libpng16] Changed png_inflate() and calling routines to avoid overflow

Browse Source 
problems.  This is an intermediate check-in that solves the immediate problems
and introduces one performance improvement (avoiding a copy via png_ptr->zbuf.)
Further changes will be made to make ICC profile handling more secure.
This commit is contained in:
John Bowler 2012-03-03 21:10:26 -06:00 committed by Glenn Randers-Pehrson
parent 29a6ba01a7
commit 0ae4f7b705
6 changed files with 491 additions and 480 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ANNOUNCE
View File

@ -261,6 +261,10 @@ Version 1.6.0beta15 [March 2, 2012]
Version 1.6.0beta16 [March 4, 2012] Version 1.6.0beta16 [March 4, 2012]
Relocated palette-index checking function from pngrutil.c to pngtrans.c Relocated palette-index checking function from pngrutil.c to pngtrans.c
Added palette-index checking while writing. Added palette-index checking while writing.
Changed png_inflate() and calling routines to avoid overflow problems.
This is an intermediate check-in that solves the immediate problems and
introduces one performance improvement (avoiding a copy via png_ptr->zbuf.)
Further changes will be made to make ICC profile handling more secure.
Fixed build warnings (MSVC, GCC, GCC v3). Cygwin GCC with default options Fixed build warnings (MSVC, GCC, GCC v3). Cygwin GCC with default options
declares 'index' as a global, causing a warning if it is used as a local declares 'index' as a global, causing a warning if it is used as a local
variable. GCC 64-bit warns about assigning a (size_t) (unsigned 64-bit) variable. GCC 64-bit warns about assigning a (size_t) (unsigned 64-bit)

4
CHANGES
View File

@ -4012,6 +4012,10 @@ Version 1.6.0beta15 [March 2, 2012]
Version 1.6.0beta16 [March 4, 2012] Version 1.6.0beta16 [March 4, 2012]
Relocated palette-index checking function from pngrutil.c to pngtrans.c Relocated palette-index checking function from pngrutil.c to pngtrans.c
Added palette-index checking while writing. Added palette-index checking while writing.
Changed png_inflate() and calling routines to avoid overflow problems.
This is an intermediate check-in that solves the immediate problems and
introduces one performance improvement (avoiding a copy via png_ptr->zbuf.)
Further changes will be made to make ICC profile handling more secure.
Fixed build warnings (MSVC, GCC, GCC v3). Cygwin GCC with default options Fixed build warnings (MSVC, GCC, GCC v3). Cygwin GCC with default options
declares 'index' as a global, causing a warning if it is used as a local declares 'index' as a global, causing a warning if it is used as a local
variable. GCC 64-bit warns about assigning a (size_t) (unsigned 64-bit) variable. GCC 64-bit warns about assigning a (size_t) (unsigned 64-bit)

10
png.h
View File

@ -1,7 +1,7 @@
/* png.h - header file for PNG reference library /* png.h - header file for PNG reference library
* *
* libpng version 1.6.0beta16 - March 3, 2012 * libpng version 1.6.0beta16 - March 4, 2012
* Copyright (c) 1998-2012 Glenn Randers-Pehrson * Copyright (c) 1998-2012 Glenn Randers-Pehrson
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@ -11,7 +11,7 @@
* Authors and maintainers: * Authors and maintainers:
* libpng versions 0.71, May 1995, through 0.88, January 1996: Guy Schalnat * libpng versions 0.71, May 1995, through 0.88, January 1996: Guy Schalnat
* libpng versions 0.89c, June 1996, through 0.96, May 1997: Andreas Dilger * libpng versions 0.89c, June 1996, through 0.96, May 1997: Andreas Dilger
* libpng versions 0.97, January 1998, through 1.6.0beta16 - March 3, 2012: Glenn * libpng versions 0.97, January 1998, through 1.6.0beta16 - March 4, 2012: Glenn
* See also "Contributing Authors", below. * See also "Contributing Authors", below.
* *
* Note about libpng version numbers: * Note about libpng version numbers:
@ -198,7 +198,7 @@
* *
* This code is released under the libpng license. * This code is released under the libpng license.
* *
* libpng versions 1.2.6, August 15, 2004, through 1.6.0beta16, March 3, 2012, are * libpng versions 1.2.6, August 15, 2004, through 1.6.0beta16, March 4, 2012, are
* Copyright (c) 2004, 2006-2012 Glenn Randers-Pehrson, and are * Copyright (c) 2004, 2006-2012 Glenn Randers-Pehrson, and are
* distributed according to the same disclaimer and license as libpng-1.2.5 * distributed according to the same disclaimer and license as libpng-1.2.5
* with the following individual added to the list of Contributing Authors: * with the following individual added to the list of Contributing Authors:
@ -310,7 +310,7 @@
* Y2K compliance in libpng: * Y2K compliance in libpng:
* ========================= * =========================
* *
* March 3, 2012 * March 4, 2012
* *
* Since the PNG Development group is an ad-hoc body, we can't make * Since the PNG Development group is an ad-hoc body, we can't make
* an official declaration. * an official declaration.
@ -376,7 +376,7 @@
/* Version information for png.h - this should match the version in png.c */ /* Version information for png.h - this should match the version in png.c */
#define PNG_LIBPNG_VER_STRING "1.6.0beta16" #define PNG_LIBPNG_VER_STRING "1.6.0beta16"
#define PNG_HEADER_VERSION_STRING \ #define PNG_HEADER_VERSION_STRING \
" libpng version 1.6.0beta16 - March 3, 2012\n" " libpng version 1.6.0beta16 - March 4, 2012\n"
#define PNG_LIBPNG_VER_SONUM 16 #define PNG_LIBPNG_VER_SONUM 16
#define PNG_LIBPNG_VER_DLLNUM 16 #define PNG_LIBPNG_VER_DLLNUM 16

9
pngpriv.h
View File

@ -822,14 +822,7 @@ PNG_INTERNAL_FUNCTION(void,png_read_data,(png_structrp png_ptr, png_bytep data,
/* Read bytes into buf, and update png_ptr->crc */ /* Read bytes into buf, and update png_ptr->crc */
PNG_INTERNAL_FUNCTION(void,png_crc_read,(png_structrp png_ptr, png_bytep buf, PNG_INTERNAL_FUNCTION(void,png_crc_read,(png_structrp png_ptr, png_bytep buf,
png_size_t length),PNG_EMPTY); png_uint_32 length),PNG_EMPTY);
/* Decompress data in a chunk that uses compression */
#if defined(PNG_READ_COMPRESSED_TEXT_SUPPORTED)
PNG_INTERNAL_FUNCTION(void,png_decompress_chunk,(png_structrp png_ptr,
int comp_type, png_size_t chunklength, png_size_t prefix_length,
png_size_t *data_length),PNG_EMPTY);
#endif
/* Read "skip" bytes, read the file crc, and (optionally) verify png_ptr->crc */ /* Read "skip" bytes, read the file crc, and (optionally) verify png_ptr->crc */
PNG_INTERNAL_FUNCTION(int,png_crc_finish,(png_structrp png_ptr, PNG_INTERNAL_FUNCTION(int,png_crc_finish,(png_structrp png_ptr,

3
pngread.c
View File

@ -491,8 +491,7 @@ png_read_row(png_structrp png_ptr, png_bytep row, png_bytep dsp_row)
png_ptr->zstream.next_in = png_ptr->zbuf; png_ptr->zstream.next_in = png_ptr->zbuf;
if (png_ptr->zbuf_size > png_ptr->idat_size) if (png_ptr->zbuf_size > png_ptr->idat_size)
png_ptr->zstream.avail_in = (uInt)png_ptr->idat_size; png_ptr->zstream.avail_in = (uInt)png_ptr->idat_size;
png_crc_read(png_ptr, png_ptr->zbuf, png_crc_read(png_ptr, png_ptr->zbuf, png_ptr->zstream.avail_in);
(png_size_t)png_ptr->zstream.avail_in);
png_ptr->idat_size -= png_ptr->zstream.avail_in; png_ptr->idat_size -= png_ptr->zstream.avail_in;
} }

941
pngrutil.c
View File

File diff suppressed because it is too large Load Diff