From 2d62f7406f0cce2d250d25f1095a0afdc041310e Mon Sep 17 00:00:00 2001 From: John Bowler Date: Wed, 19 Aug 2015 12:56:48 -0500 Subject: [PATCH] [libpng16] Fixed the recently reported 1's complement security issue by replacing the value that is illegal in the PNG spec, in both signed and unsigned values, with 0. Illegal unsigned values (anything greater than or equal to 0x80000000) can still pass through, but since these are not illegal in ANSI-C (unlike 0x80000000 in the signed case) the checking that occurs later can catch them (John Bowler). --- ANNOUNCE | 10 ++++++++-- CHANGES | 8 +++++++- libpng-manual.txt | 6 +++--- libpng.3 | 14 +++++++------- png.c | 4 ++-- png.h | 12 ++++++------ pngrutil.c | 8 +++++++- 7 files changed, 40 insertions(+), 22 deletions(-) diff --git a/ANNOUNCE b/ANNOUNCE index d0af1be35..bcd273543 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,4 +1,4 @@ -Libpng 1.6.19beta02 - August 18, 2015 +Libpng 1.6.19beta02 - August 19, 2015 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -40,7 +40,7 @@ Version 1.6.19beta01 [July 30, 2015] Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c Fixed uninitialized variable in contrib/gregbook/rpng2-x.c -Version 1.6.19beta02 [August 18, 2015] +Version 1.6.19beta02 [August 19, 2015] Moved config.h.in~ from the "libpng_autotools_files" list to the "libpng_autotools_extra" list in autogen.sh because it was causing a false positive for missing files (bug report by Robert C. Seacord). @@ -57,6 +57,12 @@ Version 1.6.19beta02 [August 18, 2015] high level of warnings). Safely convert num_bytes to a png_byte in png_set_sig_bytes() (Robert Seacord). + Fixed the recently reported 1's complement security issue by replacing + the value that is illegal in the PNG spec, in both signed and unsigned + values, with 0. Illegal unsigned values (anything greater than or equal + to 0x80000000) can still pass through, but since these are not illegal + in ANSI-C (unlike 0x80000000 in the signed case) the checking that + occurs later can catch them (John Bowler). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/CHANGES b/CHANGES index 8eb80ae2b..6ea423bad 100644 --- a/CHANGES +++ b/CHANGES @@ -5320,7 +5320,7 @@ Version 1.6.19beta01 [July 30, 2015] Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c Fixed uninitialized variable in contrib/gregbook/rpng2-x.c -Version 1.6.19beta02 [August 18, 2015] +Version 1.6.19beta02 [August 19, 2015] Moved config.h.in~ from the "libpng_autotools_files" list to the "libpng_autotools_extra" list in autogen.sh because it was causing a false positive for missing files (bug report by Robert C. Seacord). @@ -5337,6 +5337,12 @@ Version 1.6.19beta02 [August 18, 2015] high level of warnings). Safely convert num_bytes to a png_byte in png_set_sig_bytes() (Robert Seacord). + Fixed the recently reported 1's complement security issue by replacing + the value that is illegal in the PNG spec, in both signed and unsigned + values, with 0. Illegal unsigned values (anything greater than or equal + to 0x80000000) can still pass through, but since these are not illegal + in ANSI-C (unlike 0x80000000 in the signed case) the checking that + occurs later can catch them (John Bowler). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/libpng-manual.txt b/libpng-manual.txt index b1fffdd0f..44215d55d 100644 --- a/libpng-manual.txt +++ b/libpng-manual.txt @@ -1,6 +1,6 @@ libpng-manual.txt - A description on how to use and modify libpng - libpng version 1.6.19beta02 - August 18, 2015 + libpng version 1.6.19beta02 - August 19, 2015 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2015 Glenn Randers-Pehrson @@ -11,7 +11,7 @@ libpng-manual.txt - A description on how to use and modify libpng Based on: - libpng versions 0.97, January 1998, through 1.6.19beta02 - August 18, 2015 + libpng versions 0.97, January 1998, through 1.6.19beta02 - August 19, 2015 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2015 Glenn Randers-Pehrson @@ -5312,7 +5312,7 @@ Other rules can be inferred by inspecting the libpng source. XVI. Y2K Compliance in libpng -August 18, 2015 +August 19, 2015 Since the PNG Development group is an ad-hoc body, we can't make an official declaration. diff --git a/libpng.3 b/libpng.3 index 2e2f12622..b4b3b05bf 100644 --- a/libpng.3 +++ b/libpng.3 @@ -1,4 +1,4 @@ -.TH LIBPNG 3 "August 18, 2015" +.TH LIBPNG 3 "August 19, 2015" .SH NAME libpng \- Portable Network Graphics (PNG) Reference Library 1.6.19beta02 .SH SYNOPSIS @@ -508,7 +508,7 @@ Following is a copy of the libpng-manual.txt file that accompanies libpng. .SH LIBPNG.TXT libpng-manual.txt - A description on how to use and modify libpng - libpng version 1.6.19beta02 - August 18, 2015 + libpng version 1.6.19beta02 - August 19, 2015 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2015 Glenn Randers-Pehrson @@ -519,7 +519,7 @@ libpng-manual.txt - A description on how to use and modify libpng Based on: - libpng versions 0.97, January 1998, through 1.6.19beta02 - August 18, 2015 + libpng versions 0.97, January 1998, through 1.6.19beta02 - August 19, 2015 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2015 Glenn Randers-Pehrson @@ -5820,7 +5820,7 @@ Other rules can be inferred by inspecting the libpng source. .SH XVI. Y2K Compliance in libpng -August 18, 2015 +August 19, 2015 Since the PNG Development group is an ad-hoc body, we can't make an official declaration. @@ -6141,7 +6141,7 @@ possible without all of you. Thanks to Frank J. T. Wojcik for helping with the documentation. -Libpng version 1.6.19beta02 - August 18, 2015: +Libpng version 1.6.19beta02 - August 19, 2015: Initially created in 1995 by Guy Eric Schalnat, then of Group 42, Inc. Currently maintained by Glenn Randers-Pehrson (glennrp at users.sourceforge.net). @@ -6164,7 +6164,7 @@ this sentence. This code is released under the libpng license. -libpng versions 1.0.7, July 1, 2000, through 1.6.19beta02, August 18, 2015, are +libpng versions 1.0.7, July 1, 2000, through 1.6.19beta02, August 19, 2015, are Copyright (c) 2000-2002, 2004, 2006-2015 Glenn Randers-Pehrson, and are distributed according to the same disclaimer and license as libpng-1.0.6 with the following individuals added to the list of Contributing Authors: @@ -6258,7 +6258,7 @@ the additional disclaimers inserted at version 1.0.7. Glenn Randers-Pehrson glennrp at users.sourceforge.net -August 18, 2015 +August 19, 2015 .\" end of man page diff --git a/png.c b/png.c index 541727760..39fa477e6 100644 --- a/png.c +++ b/png.c @@ -774,13 +774,13 @@ png_get_copyright(png_const_structrp png_ptr) #else # ifdef __STDC__ return PNG_STRING_NEWLINE \ - "libpng version 1.6.19beta02 - August 18, 2015" PNG_STRING_NEWLINE \ + "libpng version 1.6.19beta02 - August 19, 2015" PNG_STRING_NEWLINE \ "Copyright (c) 1998-2015 Glenn Randers-Pehrson" PNG_STRING_NEWLINE \ "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \ "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \ PNG_STRING_NEWLINE; # else - return "libpng version 1.6.19beta02 - August 18, 2015\ + return "libpng version 1.6.19beta02 - August 19, 2015\ Copyright (c) 1998-2015 Glenn Randers-Pehrson\ Copyright (c) 1996-1997 Andreas Dilger\ Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc."; diff --git a/png.h b/png.h index c0f1b9c05..e93b4f2bf 100644 --- a/png.h +++ b/png.h @@ -1,7 +1,7 @@ /* png.h - header file for PNG reference library * - * libpng version 1.6.19beta02, August 18, 2015 + * libpng version 1.6.19beta02, August 19, 2015 * * Copyright (c) 1998-2015 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) @@ -12,7 +12,7 @@ * Authors and maintainers: * libpng versions 0.71, May 1995, through 0.88, January 1996: Guy Schalnat * libpng versions 0.89, June 1996, through 0.96, May 1997: Andreas Dilger - * libpng versions 0.97, January 1998, through 1.6.19beta02, August 18, 2015: Glenn + * libpng versions 0.97, January 1998, through 1.6.19beta02, August 19, 2015: Glenn * See also "Contributing Authors", below. * * Note about libpng version numbers: @@ -251,7 +251,7 @@ * * This code is released under the libpng license. * - * libpng versions 1.0.7, July 1, 2000, through 1.6.19beta02, August 18, 2015, are + * libpng versions 1.0.7, July 1, 2000, through 1.6.19beta02, August 19, 2015, are * Copyright (c) 2000-2002, 2004, 2006-2015 Glenn Randers-Pehrson, and are * distributed according to the same disclaimer and license as libpng-1.0.6 * with the following individuals added to the list of Contributing Authors: @@ -360,7 +360,7 @@ * Y2K compliance in libpng: * ========================= * - * August 18, 2015 + * August 19, 2015 * * Since the PNG Development group is an ad-hoc body, we can't make * an official declaration. @@ -430,7 +430,7 @@ /* Version information for png.h - this should match the version in png.c */ #define PNG_LIBPNG_VER_STRING "1.6.19beta02" #define PNG_HEADER_VERSION_STRING \ - " libpng version 1.6.19beta02 - August 18, 2015\n" + " libpng version 1.6.19beta02 - August 19, 2015\n" #define PNG_LIBPNG_VER_SONUM 16 #define PNG_LIBPNG_VER_DLLNUM 16 @@ -2724,7 +2724,7 @@ PNG_EXPORT(207, void, png_save_uint_16, (png_bytep buf, unsigned int i)); # define PNG_get_int_32(buf) \ ((png_int_32)((*(buf) & 0x80) \ - ? -((png_int_32)((png_get_uint_32(buf) ^ 0xffffffffL) + 1)) \ + ? -((png_int_32)(((png_get_uint_32(buf)^0xffffffffU)+1U)&0x7fffffffU)) \ : (png_int_32)png_get_uint_32(buf))) /* If PNG_PREFIX is defined the same thing as below happens in pnglibconf.h, diff --git a/pngrutil.c b/pngrutil.c index 4927d14dd..a60ee96fe 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -89,7 +89,13 @@ png_get_int_32)(png_const_bytep buf) return uval; uval = (uval ^ 0xffffffff) + 1; /* 2's complement: -x = ~x+1 */ - return -(png_int_32)uval; + if ((uval & 0x80000000) == 0) /* no overflow */ + return -(png_int_32)uval; + /* The following has to be safe; this function only gets called on PNG data + * and if we get here that data is invalid. 0 is the most safe value and + * if not then an attacker would surely just generate a PNG with 0 instead. + */ + return 0; } /* Grab an unsigned 16-bit integer from a buffer in big-endian format. */