From 19fefd3a4b2a6dac486a721e653d8e81efbbb393 Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Wed, 10 Aug 2016 12:09:22 -0500 Subject: [PATCH] [libpng16] Return NULL from png_malloc_array() with a warning instead of calling png_error() on failure. Reject oversized iCCP profile immediately. --- ANNOUNCE | 7 +++++-- CHANGES | 5 ++++- pngmem.c | 7 +++++-- pngrutil.c | 10 +++++----- 4 files changed, 19 insertions(+), 10 deletions(-) diff --git a/ANNOUNCE b/ANNOUNCE index c84bee908..5373b2d2a 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,4 +1,4 @@ -Libpng 1.6.25beta01 - August 4, 2016 +Libpng 1.6.25beta01 - August 10, 2016 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -25,7 +25,10 @@ Other information: Changes since the last public release (1.6.24): -Version 1.6.25beta01 [August 4, 2016] +Version 1.6.25beta01 [August 10, 2016] + Return NULL from png_malloc_array() with a warning instead of calling + png_error() on failure. + Reject oversized iCCP profile immediately. Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/CHANGES b/CHANGES index 39a021c74..4c5961abb 100644 --- a/CHANGES +++ b/CHANGES @@ -5675,7 +5675,10 @@ Version 1.6.24rc03 [August 2, 2016] Version 1.6.24[August 4, 2016] No changes. -Version 1.6.24[August 4, 2016] +Version 1.6.25beta01 [August 10, 2016] + Return NULL from png_malloc_array() with a warning instead of calling + png_error() on failure. + Reject oversized iCCP profile immediately. Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/pngmem.c b/pngmem.c index 6033bf2f5..bbe4241fa 100644 --- a/pngmem.c +++ b/pngmem.c @@ -1,7 +1,7 @@ /* pngmem.c - stub functions for memory allocation * - * Last changed in libpng 1.6.24 [August 4, 2016] + * Last changed in libpng 1.6.25 [(PENDING RELEASE)] * Copyright (c) 1998-2002,2004,2006-2014,2016 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) @@ -123,7 +123,10 @@ png_malloc_array,(png_const_structrp png_ptr, int nelements, size_t element_size),PNG_ALLOCATED) { if (nelements <= 0 || element_size == 0) - png_error(png_ptr, "internal error: array alloc"); + { + png_warning(png_ptr, "internal error: array alloc"); + return NULL; + } return png_malloc_array_checked(png_ptr, nelements, element_size); } diff --git a/pngrutil.c b/pngrutil.c index 1c8a17944..7efefe2c8 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -1,7 +1,7 @@ /* pngrutil.c - utilities to read a PNG file * - * Last changed in libpng 1.6.24 [August 4, 2016] + * Last changed in libpng 1.6.25 [(PENDING RELEASE)] * Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) @@ -307,7 +307,7 @@ png_read_buffer(png_structrp png_ptr, png_alloc_size_t new_size, int warn) if (buffer == NULL) { - buffer = png_voidcast(png_bytep, png_malloc_base(png_ptr, new_size)); + buffer = png_voidcast(png_bytep, png_malloc_array(png_ptr, 1, new_size)); if (buffer != NULL) { @@ -1462,7 +1462,7 @@ png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) const png_uint_32 tag_count = png_get_uint_32( profile_header+128); png_bytep profile = png_read_buffer(png_ptr, - profile_length, 2/*silent*/); + profile_length, 1/*warn*/); if (profile != NULL) { @@ -1528,8 +1528,8 @@ png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) PNG_FREE_ICCP, 0); info_ptr->iccp_name = png_voidcast(char*, - png_malloc_base(png_ptr, - keyword_length+1)); + png_malloc_array(png_ptr, + keyword_length+1, 1)); if (info_ptr->iccp_name != NULL) { memcpy(info_ptr->iccp_name, keyword,