cheng/libpng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[libpng16] Silently truncate over-length PLTE chunk while reading.

Browse Source
This commit is contained in:
Glenn Randers-Pehrson 2015-10-30 11:34:37 -05:00
parent a901eb3ce6
commit 1bef8e9799
4 changed files with 16 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ANNOUNCE
View File

@ -107,7 +107,8 @@ Version 1.6.19rc01 [October 23, 2015]
No changes. No changes.
Version 1.6.19rc02 [October 30, 2015] Version 1.6.19rc02 [October 30, 2015]
Prevent reading or writing over-length PLTE chunk (Cosmin Truta). Prevent setting or writing over-length PLTE chunk (Cosmin Truta).
Silently truncate over-length PLTE chunk while reading.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

3
CHANGES
View File

@ -5392,7 +5392,8 @@ Version 1.6.19rc01 [October 23, 2015]
No changes. No changes.
Version 1.6.19rc02 [October 30, 2015] Version 1.6.19rc02 [October 30, 2015]
Prevent reading or writing over-length PLTE chunk (Cosmin Truta). Prevent setting or writing over-length PLTE chunk (Cosmin Truta).
Silently truncate over-length PLTE chunk while reading.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

15
pngrutil.c
View File

@ -872,7 +872,7 @@ void /* PRIVATE */
png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
{ {
png_color palette[PNG_MAX_PALETTE_LENGTH]; png_color palette[PNG_MAX_PALETTE_LENGTH];
int num, i; int max_palette_length, num, i;
#ifdef PNG_POINTER_INDEXING_SUPPORTED #ifdef PNG_POINTER_INDEXING_SUPPORTED
png_colorp pal_ptr; png_colorp pal_ptr;
#endif #endif
@ -930,9 +930,19 @@ png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
return; return;
} }
max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
(1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
/* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */ /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
num = (int)length / 3; num = (int)length / 3;
/* If the palette has 256 or fewer entries but is too large for the bit depth,
* we don't issue an error, to preserve the behavior of previous libpng versions.
* We silently truncate the unused extra palette entries here.
*/
if (num > max_palette_length)
num = max_palette_length;
#ifdef PNG_POINTER_INDEXING_SUPPORTED #ifdef PNG_POINTER_INDEXING_SUPPORTED
for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++) for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
{ {
@ -1002,9 +1012,6 @@ png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
* confusing. * confusing.
* *
* Fix this by not sharing the palette in this way. * Fix this by not sharing the palette in this way.
*
* Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when
* it attempts to set a palette length that is too large for the bit depth.
*/ */
png_set_PLTE(png_ptr, info_ptr, palette, num); png_set_PLTE(png_ptr, info_ptr, palette, num);

2
pngset.c
View File

@ -523,7 +523,7 @@ png_set_PLTE(png_structrp png_ptr, png_inforp info_ptr,
max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
(1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
if (num_palette < 0 || num_palette > max_palette_length) if (num_palette < 0 || num_palette > (int) max_palette_length)
{ {
if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
png_error(png_ptr, "Invalid palette length"); png_error(png_ptr, "Invalid palette length");