[libng16] Check length of all chunks except IDAT against user limit.

This commit is contained in:
Glenn Randers-Pehrson 2017-08-02 19:21:19 -05:00
parent 2b37d46564
commit 347538efbd
4 changed files with 36 additions and 3 deletions

View File

@ -1,4 +1,4 @@
Libpng 1.6.32beta07 - August 2, 2017
Libpng 1.6.32beta07 - August 3, 2017
This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version.
@ -54,7 +54,8 @@ Version 1.6.32beta05 [August 2, 2017]
Version 1.6.32beta06 [August 2, 2017]
Removed png_get_eXIf_1() and png_set_eXIf_1().
Version 1.6.32beta07 [August 2, 2017]
Version 1.6.32beta07 [August 3, 2017]
Check length of all chunks except IDAT against user limit.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit

View File

@ -5937,7 +5937,8 @@ Version 1.6.32beta05 [August 2, 2017]
Version 1.6.32beta06 [August 2, 2017]
Removed png_get_eXIf_1() and png_set_eXIf_1().
Version 1.6.32beta07 [August 2, 2017]
Version 1.6.32beta07 [August 3, 2017]
Check length of all chunks except IDAT against user limit.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit

View File

@ -223,6 +223,21 @@ png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr)
png_benign_error(png_ptr, "Too many IDATs found");
}
else
{
png_alloc_size_t limit = PNG_SIZE_MAX;
# ifdef PNG_SET_USER_LIMITS_SUPPORTED
if (png_ptr->user_chunk_malloc_max > 0 &&
png_ptr->user_chunk_malloc_max < limit)
limit = png_ptr->user_chunk_malloc_max;
# elif PNG_USER_CHUNK_MALLOC_MAX > 0
if (PNG_USER_CHUNK_MALLOC_MAX < limit)
limit = PNG_USER_CHUNK_MALLOC_MAX;
# endif
if (png_ptr->push_length > limit)
png_chunk_error(png_ptr, "chunk data is too large");
}
if (chunk_name == png_IHDR)
{
if (png_ptr->push_length != 13)

View File

@ -181,6 +181,22 @@ png_read_chunk_header(png_structrp png_ptr)
/* Check to see if chunk name is valid. */
png_check_chunk_name(png_ptr, png_ptr->chunk_name);
/* Check for too-large chunk length */
if (png_ptr->chunk_name != png_IDAT)
{
png_alloc_size_t limit = PNG_SIZE_MAX;
# ifdef PNG_SET_USER_LIMITS_SUPPORTED
if (png_ptr->user_chunk_malloc_max > 0 &&
png_ptr->user_chunk_malloc_max < limit)
limit = png_ptr->user_chunk_malloc_max;
# elif PNG_USER_CHUNK_MALLOC_MAX > 0
if (PNG_USER_CHUNK_MALLOC_MAX < limit)
limit = PNG_USER_CHUNK_MALLOC_MAX;
# endif
if (length > limit)
png_chunk_error(png_ptr, "chunk data is too large");
}
#ifdef PNG_IO_STATE_SUPPORTED
png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_DATA;
#endif