cheng/libpng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[libpng16] Restored IDAT length check. Previously the calculated limit was five

Browse Source 
bytes too small (neglected to account for a partial DEFLATE buffer)
This commit is contained in:
Glenn Randers-Pehrson 2017-08-03 18:03:12 -05:00
parent 4ac8b5e0d6
commit 2dbef2f2a9
4 changed files with 9 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ANNOUNCE
View File

@ -65,7 +65,6 @@ Version 1.6.32beta08 [August 3, 2017]
does not work (the eXIf chunk data can contain zeroes).
Version 1.6.32beta09 [August 3, 2017]
Temporarily disable IDAT length-limiting.
Require cmake-2.8.8 in CMakeLists.txt. Revised symlink creation,
no longer using deprecated cmake LOCATION feature (Clifford Yapp).

1
CHANGES
View File

@ -5948,7 +5948,6 @@ Version 1.6.32beta08 [August 3, 2017]
does not work (the eXIf chunk data can contain zeroes).
Version 1.6.32beta09 [August 3, 2017]
Temporarily disable IDAT length-limiting.
Require cmake-2.8.8 in CMakeLists.txt. Revised symlink creation,
no longer using deprecated cmake LOCATION feature (Clifford Yapp).

10
pngpread.c
View File

@ -226,7 +226,6 @@ png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr)
if (chunk_name == png_IDAT)
{
#if 0 /* some pngtests are failing */
size_t row_factor =
(png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
+ 1 + (png_ptr->interlaced? 6: 0));
@ -234,11 +233,8 @@ png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr)
limit=PNG_UINT_31_MAX;
else
limit = png_ptr->height * row_factor;
limit += 6 + 5*limit/32566; /* zlib+deflate overhead */
limit += 6 + 5*(limit/32566+1); /* zlib+deflate overhead */
limit=limit < PNG_UINT_31_MAX? limit : PNG_UINT_31_MAX;
#else
limit=PNG_UINT_31_MAX;
#endif
}
else
{
@ -253,7 +249,9 @@ png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr)
}
if (png_ptr->push_length > limit)
{
png_debug2(1," png_ptr->push_length = %lu, limit = %lu",
printf(" png_ptr->push_length = %lu, limit = %lu\n",
(unsigned long)png_ptr->push_length,(unsigned long)limit);
png_debug2(0," png_ptr->push_length = %lu, limit = %lu",
(unsigned long)png_ptr->push_length,(unsigned long)limit);
png_chunk_error(png_ptr, "chunk data is too large");
}

12
pngrutil.c
View File

@ -196,7 +196,6 @@ png_read_chunk_header(png_structrp png_ptr)
}
else
{
#if 0 /* some pngtests are failing */
size_t row_factor =
(png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
+ 1 + (png_ptr->interlaced? 6: 0));
@ -204,17 +203,16 @@ png_read_chunk_header(png_structrp png_ptr)
limit=PNG_UINT_31_MAX;
else
limit = png_ptr->height * row_factor;
limit += 6 + 5*limit/32566; /* zlib+deflate overhead */
limit += 6 + 5*(limit/32566+1); /* zlib+deflate overhead */
limit=limit < PNG_UINT_31_MAX? limit : PNG_UINT_31_MAX;
#else
limit=PNG_UINT_31_MAX;
#endif
}
if (length > limit)
{
png_debug2(1," png_ptr->push_length = %lu, limit = %lu",
(unsigned long)png_ptr->push_length,(unsigned long)limit);
printf(" length = %lu, limit = %lu\n",
(unsigned long)length,(unsigned long)limit);
png_debug2(0," length = %lu, limit = %lu",
(unsigned long)length,(unsigned long)limit);
png_chunk_error(png_ptr, "chunk data is too large");
}