[libpng16] Eliminated PNG_SAFE_LIMITS macro and restored the 1-million-column
and 1-million-row default limits in pnglibconf.dfa, that can be reset by the user at build time or run time. This provides a more robust defense against DOS and as-yet undiscovered overflows. Display user limits in the output from pngtest.
This commit is contained in:
Glenn Randers-Pehrson
parent
471b38aa00
commit
4b65a89cf4
9
ANNOUNCE
9
ANNOUNCE
@ -1,4 +1,4 @@
|
||||
Libpng 1.6.17beta03 - February 7, 2015
|
||||
Libpng 1.6.17beta03 - February 17, 2015
|
||||
|
||||
This is not intended to be a public release. It will be replaced
|
||||
within a few weeks by a public version or by another test version.
|
||||
@ -44,7 +44,12 @@ Version 1.6.17beta02 [February 7, 2015]
|
||||
Work around one more Coverity-scan dead-code warning.
|
||||
Do not build png_product2() when it is unused.
|
||||
|
||||
Version 1.6.17beta03 [February 7, 2015]
|
||||
Version 1.6.17beta03 [February 17, 2015]
|
||||
Display user limits in the output from pngtest.
|
||||
Eliminated the PNG_SAFE_LIMITS macro and restored the 1-million-column
|
||||
and 1-million-row default limits in pnglibconf.dfa, that can be reset
|
||||
by the user at build time or run time. This provides a more robust
|
||||
defense against DOS and as-yet undiscovered overflows.
|
||||
|
||||
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
|
||||
(subscription required; visit
|
||||
|
||||
7
CHANGES
7
CHANGES
@ -5145,7 +5145,12 @@ Version 1.6.17beta02 [February 7, 2015]
|
||||
Work around one more Coverity-scan dead-code warning.
|
||||
Do not build png_product2() when it is unused.
|
||||
|
||||
Version 1.6.17beta03 [February 7, 2015]
|
||||
Version 1.6.17beta03 [February 17, 2015]
|
||||
Display user limits in the output from pngtest.
|
||||
Eliminated the PNG_SAFE_LIMITS macro and restored the 1-million-column
|
||||
and 1-million-row default limits in pnglibconf.dfa, that can be reset
|
||||
by the user at build time or run time. This provides a more robust
|
||||
defense against DOS and as-yet undiscovered overflows.
|
||||
|
||||
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
|
||||
(subscription required; visit
|
||||
|
||||
43
pngpriv.h
43
pngpriv.h
@ -300,46 +300,9 @@
|
||||
|
||||
/* SECURITY and SAFETY:
|
||||
*
|
||||
* By default libpng is built without any internal limits on image size,
|
||||
* individual heap (png_malloc) allocations or the total amount of memory used.
|
||||
* If PNG_SAFE_LIMITS_SUPPORTED is defined, however, the limits below are used
|
||||
* (unless individually overridden). These limits are believed to be fairly
|
||||
* safe, but builders of secure systems should verify the values against the
|
||||
* real system capabilities.
|
||||
*/
|
||||
#ifdef PNG_SAFE_LIMITS_SUPPORTED
|
||||
/* 'safe' limits */
|
||||
# ifndef PNG_USER_WIDTH_MAX
|
||||
# define PNG_USER_WIDTH_MAX 1000000
|
||||
# endif
|
||||
# ifndef PNG_USER_HEIGHT_MAX
|
||||
# define PNG_USER_HEIGHT_MAX 1000000
|
||||
# endif
|
||||
# ifndef PNG_USER_CHUNK_CACHE_MAX
|
||||
# define PNG_USER_CHUNK_CACHE_MAX 128
|
||||
# endif
|
||||
# ifndef PNG_USER_CHUNK_MALLOC_MAX
|
||||
# define PNG_USER_CHUNK_MALLOC_MAX 8000000
|
||||
# endif
|
||||
#else
|
||||
/* values for no limits */
|
||||
# ifndef PNG_USER_WIDTH_MAX
|
||||
# define PNG_USER_WIDTH_MAX 0x7fffffff
|
||||
# endif
|
||||
# ifndef PNG_USER_HEIGHT_MAX
|
||||
# define PNG_USER_HEIGHT_MAX 0x7fffffff
|
||||
# endif
|
||||
# ifndef PNG_USER_CHUNK_CACHE_MAX
|
||||
# define PNG_USER_CHUNK_CACHE_MAX 0
|
||||
# endif
|
||||
# ifndef PNG_USER_CHUNK_MALLOC_MAX
|
||||
# define PNG_USER_CHUNK_MALLOC_MAX 0
|
||||
# endif
|
||||
#endif
|
||||
|
||||
/* Moved to pngpriv.h at libpng-1.5.0 */
|
||||
/* NOTE: some of these may have been used in external applications as
|
||||
* these definitions were exposed in pngconf.h prior to 1.5.
|
||||
* libpng is built with support for internal limits on image dimensions and
|
||||
* memory usage. These are documented in scripts/pnglibconf.dfa of the
|
||||
* source and recorded in the machine generated header file pnglibconf.h.
|
||||
*/
|
||||
|
||||
/* If you are running on a machine where you cannot allocate more
|
||||
|
||||
26
pngtest.c
26
pngtest.c
@ -377,7 +377,7 @@ pngtest_read_data(png_structp png_ptr, png_bytep data, png_size_t length)
|
||||
io_ptr = png_get_io_ptr(png_ptr);
|
||||
if (io_ptr != NULL)
|
||||
{
|
||||
check = fread(data, (sizeof (png_byte)), length, (png_FILE_p)io_ptr);
|
||||
check = fread(data, 1, length, (png_FILE_p)io_ptr);
|
||||
}
|
||||
|
||||
if (check != length)
|
||||
@ -1610,8 +1610,8 @@ test_one_file(PNG_CONST char *inname, PNG_CONST char *outname)
|
||||
png_size_t num_in, num_out;
|
||||
char inbuf[256], outbuf[256];
|
||||
|
||||
num_in = fread(inbuf, 1, (sizeof inbuf), fpin);
|
||||
num_out = fread(outbuf, 1, (sizeof outbuf), fpout);
|
||||
num_in = fread(inbuf, 1, sizeof inbuf, fpin);
|
||||
num_out = fread(outbuf, 1, sizeof outbuf, fpout);
|
||||
|
||||
if (num_in != num_out)
|
||||
{
|
||||
@ -1701,6 +1701,8 @@ main(int argc, char *argv[])
|
||||
int multiple = 0;
|
||||
int ierror = 0;
|
||||
|
||||
png_structp dummy_ptr;
|
||||
|
||||
fprintf(STDERR, "\n Testing libpng version %s\n", PNG_LIBPNG_VER_STRING);
|
||||
fprintf(STDERR, " with zlib version %s\n", ZLIB_VERSION);
|
||||
fprintf(STDERR, "%s", png_get_copyright(NULL));
|
||||
@ -1994,6 +1996,24 @@ main(int argc, char *argv[])
|
||||
else
|
||||
fprintf(STDERR, " libpng FAILS test\n");
|
||||
|
||||
dummy_ptr = png_create_read_struct(PNG_LIBPNG_VER_STRING, NULL, NULL, NULL);
|
||||
fprintf(STDERR, " Default limits:\n");
|
||||
fprintf(STDERR, " width_max = %lu\n",
|
||||
(unsigned long) png_get_user_width_max(dummy_ptr));
|
||||
fprintf(STDERR, " height_max = %lu\n",
|
||||
(unsigned long) png_get_user_height_max(dummy_ptr));
|
||||
if (png_get_chunk_cache_max(dummy_ptr) == 0)
|
||||
fprintf(STDERR, " cache_max = unlimited\n");
|
||||
else
|
||||
fprintf(STDERR, " cache_max = %lu\n",
|
||||
(unsigned long) png_get_chunk_cache_max(dummy_ptr));
|
||||
if (png_get_chunk_malloc_max(dummy_ptr) == 0)
|
||||
fprintf(STDERR, " malloc_max = unlimited\n");
|
||||
else
|
||||
fprintf(STDERR, " malloc_max = %lu\n",
|
||||
(unsigned long) png_get_chunk_malloc_max(dummy_ptr));
|
||||
png_destroy_read_struct(&dummy_ptr, NULL, NULL);
|
||||
|
||||
return (int)(ierror != 0);
|
||||
}
|
||||
#else
|
||||
|
||||
@ -8,7 +8,7 @@
|
||||
# here by entering the appropriate values as #defines preceded by '@' (to cause,
|
||||
# them to be passed through to the build of pnglibconf.h), for example:
|
||||
#
|
||||
# @# define PNG_USER_WIDTH_MAX 1000000
|
||||
# @# define PNG_USER_HEIGHT_MAX 1000000
|
||||
# @# define PNG_USER_CHUNK_CACHE_MAX 128
|
||||
# @# define PNG_USER_CHUNK_MALLOC_MAX 8000000
|
||||
# @# define PNG_USER_WIDTH_MAX 65535
|
||||
# @# define PNG_USER_HEIGHT_MAX 65535
|
||||
# @# define PNG_USER_CHUNK_CACHE_MAX 256
|
||||
# @# define PNG_USER_CHUNK_MALLOC_MAX 640000
|
||||
|
||||
@ -350,36 +350,15 @@ option USER_MEM
|
||||
|
||||
option IO_STATE
|
||||
|
||||
# This is only for PowerPC big-endian and 680x0 systems
|
||||
# some testing, not enabled by default.
|
||||
# NO LONGER USED
|
||||
|
||||
#option READ_BIG_ENDIAN disabled
|
||||
|
||||
# Allow users to control limits on what the READ code will
|
||||
# read:
|
||||
|
||||
# Added at libpng-1.2.43; adds limit fields to png_struct,
|
||||
# allows some usages of these fields
|
||||
|
||||
option USER_LIMITS
|
||||
|
||||
# Added at libpng-1.2.6; adds setting APIs, allows additional
|
||||
# usage of this field (UTSL)
|
||||
|
||||
option SET_USER_LIMITS requires USER_LIMITS
|
||||
|
||||
# Feature added at libpng-1.4.0, this flag added at 1.4.1
|
||||
option SET_USER_LIMITS enables SET_CHUNK_CACHE_LIMIT
|
||||
# Feature added at libpng-1.4.1, this flag added at 1.4.1
|
||||
|
||||
option SET_USER_LIMITS enables SET_CHUNK_MALLOC_LIMIT
|
||||
|
||||
# Libpng limits.
|
||||
# Libpng limits: limit the size of images and data on read.
|
||||
#
|
||||
# If these settings are *not* set libpng will not limit the size of
|
||||
# images or the size of data in ancilliary chunks. This does lead to
|
||||
# security issues if PNG files come from untrusted sources. Settings have the
|
||||
# If this option is disabled all the limit checking code will be disabled:
|
||||
|
||||
option USER_LIMITS requires READ
|
||||
|
||||
# The default settings given below for the limits mean that libpng will
|
||||
# limit the size of images or the size of data in ancilliary chunks to less
|
||||
# than the specification or implementation limits. Settings have the
|
||||
# following interpretations:
|
||||
#
|
||||
# USER_WIDTH_MAX: maximum width of an image that will be read
|
||||
@ -389,17 +368,14 @@ option SET_USER_LIMITS enables SET_CHUNK_MALLOC_LIMIT
|
||||
#
|
||||
# Only chunks that are variable in number are counted towards the
|
||||
# USER_CHUNK_CACHE_MAX limit
|
||||
setting USER_WIDTH_MAX
|
||||
setting USER_HEIGHT_MAX
|
||||
setting USER_CHUNK_CACHE_MAX
|
||||
setting USER_CHUNK_MALLOC_MAX
|
||||
setting USER_WIDTH_MAX default 1000000 /* Use 0x7fffffff for unlimited */
|
||||
setting USER_HEIGHT_MAX default 1000000 /* Use 0x7fffffff for unlimited */
|
||||
setting USER_CHUNK_CACHE_MAX default 1000 /* Use 0 for unlimited */
|
||||
setting USER_CHUNK_MALLOC_MAX default 8000000 /* Use 0 for unlimited */
|
||||
|
||||
# To default all these settings to values that are large but probably
|
||||
# safe turn the SAFE_LIMITS option on; this will cause the value in
|
||||
# pngpriv.h to be used. Individual values can also be set, simply set
|
||||
# them in pngusr.dfa with '@#define PNG_setting value' lines.
|
||||
option SAFE_LIMITS enables USER_LIMITS disabled
|
||||
= SAFE_LIMITS SAFE_LIMITS
|
||||
# If this option is enabled APIs to set the above limits at run time are added;
|
||||
# without this the hardwired (compile time) limits will be used.
|
||||
option SET_USER_LIMITS requires USER_LIMITS
|
||||
|
||||
# All of the following options relate to code capabilities for
|
||||
# processing image data before creating a PNG or after reading one.
|
||||
@ -541,6 +517,7 @@ option USER_TRANSFORM_INFO if READ_USER_TRANSFORM, WRITE_USER_TRANSFORM
|
||||
# non-IDAT chunks (zTXt, iTXt, iCCP, and unknown chunks). This feature
|
||||
# was added at libpng-1.5.3.
|
||||
option WRITE_CUSTOMIZE_ZTXT_COMPRESSION requires WRITE
|
||||
option WRITE_CUSTOMIZE_COMPRESSION requires WRITE
|
||||
|
||||
# Any chunks you are not interested in, you can undef here. The
|
||||
# ones that allocate memory may be expecially important (hIST,
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
|
||||
/* pnglibconf.h - library build configuration */
|
||||
|
||||
/* Libpng version 1.6.17beta03 - February 7, 2015 */
|
||||
/* Libpng version 1.6.17beta03 - February 17, 2015 */
|
||||
|
||||
/* Copyright (c) 1998-2014 Glenn Randers-Pehrson */
|
||||
|
||||
@ -97,7 +97,6 @@
|
||||
#define PNG_READ_tIME_SUPPORTED
|
||||
#define PNG_READ_tRNS_SUPPORTED
|
||||
#define PNG_READ_zTXt_SUPPORTED
|
||||
/*#undef PNG_SAFE_LIMITS_SUPPORTED*/
|
||||
#define PNG_SAVE_INT_32_SUPPORTED
|
||||
#define PNG_SAVE_UNKNOWN_CHUNKS_SUPPORTED
|
||||
#define PNG_SEQUENTIAL_READ_SUPPORTED
|
||||
@ -129,6 +128,7 @@
|
||||
#define PNG_WRITE_BGR_SUPPORTED
|
||||
#define PNG_WRITE_CHECK_FOR_INVALID_INDEX_SUPPORTED
|
||||
#define PNG_WRITE_COMPRESSED_TEXT_SUPPORTED
|
||||
#define PNG_WRITE_CUSTOMIZE_COMPRESSION_SUPPORTED
|
||||
#define PNG_WRITE_CUSTOMIZE_ZTXT_COMPRESSION_SUPPORTED
|
||||
#define PNG_WRITE_FILLER_SUPPORTED
|
||||
#define PNG_WRITE_FILTER_SUPPORTED
|
||||
@ -198,6 +198,10 @@
|
||||
#define PNG_QUANTIZE_RED_BITS 5
|
||||
#define PNG_TEXT_Z_DEFAULT_COMPRESSION (-1)
|
||||
#define PNG_TEXT_Z_DEFAULT_STRATEGY 0
|
||||
#define PNG_USER_CHUNK_CACHE_MAX 1000 /* Use 0 for unlimited */
|
||||
#define PNG_USER_CHUNK_MALLOC_MAX 8000000 /* Use 0 for unlimited */
|
||||
#define PNG_USER_HEIGHT_MAX 1000000 /* Use 0x7fffffff for unlimited */
|
||||
#define PNG_USER_WIDTH_MAX 1000000 /* Use 0x7fffffff for unlimited */
|
||||
#define PNG_WEIGHT_SHIFT 8
|
||||
#define PNG_ZBUF_SIZE 8192
|
||||
#define PNG_ZLIB_VERNUM 0 /* unknown */
|
||||
|
||||
Loading…
Reference in New Issue
Block a user