From 4b65a89cf4303d64762ed4cad4ca469adab794ce Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Mon, 16 Feb 2015 22:52:07 -0600 Subject: [PATCH] [libpng16] Eliminated PNG_SAFE_LIMITS macro and restored the 1-million-column and 1-million-row default limits in pnglibconf.dfa, that can be reset by the user at build time or run time. This provides a more robust defense against DOS and as-yet undiscovered overflows. Display user limits in the output from pngtest. --- ANNOUNCE | 9 ++++-- CHANGES | 7 ++++- pngpriv.h | 43 ++------------------------- pngtest.c | 26 +++++++++++++++-- pngusr.dfa | 8 ++--- scripts/pnglibconf.dfa | 55 ++++++++++------------------------- scripts/pnglibconf.h.prebuilt | 8 +++-- 7 files changed, 65 insertions(+), 91 deletions(-) diff --git a/ANNOUNCE b/ANNOUNCE index 5c63c3b73..0281b45f8 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,4 +1,4 @@ -Libpng 1.6.17beta03 - February 7, 2015 +Libpng 1.6.17beta03 - February 17, 2015 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -44,7 +44,12 @@ Version 1.6.17beta02 [February 7, 2015] Work around one more Coverity-scan dead-code warning. Do not build png_product2() when it is unused. -Version 1.6.17beta03 [February 7, 2015] +Version 1.6.17beta03 [February 17, 2015] + Display user limits in the output from pngtest. + Eliminated the PNG_SAFE_LIMITS macro and restored the 1-million-column + and 1-million-row default limits in pnglibconf.dfa, that can be reset + by the user at build time or run time. This provides a more robust + defense against DOS and as-yet undiscovered overflows. Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/CHANGES b/CHANGES index 06a07d401..ba429cd44 100644 --- a/CHANGES +++ b/CHANGES @@ -5145,7 +5145,12 @@ Version 1.6.17beta02 [February 7, 2015] Work around one more Coverity-scan dead-code warning. Do not build png_product2() when it is unused. -Version 1.6.17beta03 [February 7, 2015] +Version 1.6.17beta03 [February 17, 2015] + Display user limits in the output from pngtest. + Eliminated the PNG_SAFE_LIMITS macro and restored the 1-million-column + and 1-million-row default limits in pnglibconf.dfa, that can be reset + by the user at build time or run time. This provides a more robust + defense against DOS and as-yet undiscovered overflows. Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/pngpriv.h b/pngpriv.h index 4d7a665de..5b0213f42 100644 --- a/pngpriv.h +++ b/pngpriv.h @@ -300,46 +300,9 @@ /* SECURITY and SAFETY: * - * By default libpng is built without any internal limits on image size, - * individual heap (png_malloc) allocations or the total amount of memory used. - * If PNG_SAFE_LIMITS_SUPPORTED is defined, however, the limits below are used - * (unless individually overridden). These limits are believed to be fairly - * safe, but builders of secure systems should verify the values against the - * real system capabilities. - */ -#ifdef PNG_SAFE_LIMITS_SUPPORTED - /* 'safe' limits */ -# ifndef PNG_USER_WIDTH_MAX -# define PNG_USER_WIDTH_MAX 1000000 -# endif -# ifndef PNG_USER_HEIGHT_MAX -# define PNG_USER_HEIGHT_MAX 1000000 -# endif -# ifndef PNG_USER_CHUNK_CACHE_MAX -# define PNG_USER_CHUNK_CACHE_MAX 128 -# endif -# ifndef PNG_USER_CHUNK_MALLOC_MAX -# define PNG_USER_CHUNK_MALLOC_MAX 8000000 -# endif -#else - /* values for no limits */ -# ifndef PNG_USER_WIDTH_MAX -# define PNG_USER_WIDTH_MAX 0x7fffffff -# endif -# ifndef PNG_USER_HEIGHT_MAX -# define PNG_USER_HEIGHT_MAX 0x7fffffff -# endif -# ifndef PNG_USER_CHUNK_CACHE_MAX -# define PNG_USER_CHUNK_CACHE_MAX 0 -# endif -# ifndef PNG_USER_CHUNK_MALLOC_MAX -# define PNG_USER_CHUNK_MALLOC_MAX 0 -# endif -#endif - -/* Moved to pngpriv.h at libpng-1.5.0 */ -/* NOTE: some of these may have been used in external applications as - * these definitions were exposed in pngconf.h prior to 1.5. + * libpng is built with support for internal limits on image dimensions and + * memory usage. These are documented in scripts/pnglibconf.dfa of the + * source and recorded in the machine generated header file pnglibconf.h. */ /* If you are running on a machine where you cannot allocate more diff --git a/pngtest.c b/pngtest.c index 4e64def79..5d09f1c6e 100644 --- a/pngtest.c +++ b/pngtest.c @@ -377,7 +377,7 @@ pngtest_read_data(png_structp png_ptr, png_bytep data, png_size_t length) io_ptr = png_get_io_ptr(png_ptr); if (io_ptr != NULL) { - check = fread(data, (sizeof (png_byte)), length, (png_FILE_p)io_ptr); + check = fread(data, 1, length, (png_FILE_p)io_ptr); } if (check != length) @@ -1610,8 +1610,8 @@ test_one_file(PNG_CONST char *inname, PNG_CONST char *outname) png_size_t num_in, num_out; char inbuf[256], outbuf[256]; - num_in = fread(inbuf, 1, (sizeof inbuf), fpin); - num_out = fread(outbuf, 1, (sizeof outbuf), fpout); + num_in = fread(inbuf, 1, sizeof inbuf, fpin); + num_out = fread(outbuf, 1, sizeof outbuf, fpout); if (num_in != num_out) { @@ -1701,6 +1701,8 @@ main(int argc, char *argv[]) int multiple = 0; int ierror = 0; + png_structp dummy_ptr; + fprintf(STDERR, "\n Testing libpng version %s\n", PNG_LIBPNG_VER_STRING); fprintf(STDERR, " with zlib version %s\n", ZLIB_VERSION); fprintf(STDERR, "%s", png_get_copyright(NULL)); @@ -1994,6 +1996,24 @@ main(int argc, char *argv[]) else fprintf(STDERR, " libpng FAILS test\n"); + dummy_ptr = png_create_read_struct(PNG_LIBPNG_VER_STRING, NULL, NULL, NULL); + fprintf(STDERR, " Default limits:\n"); + fprintf(STDERR, " width_max = %lu\n", + (unsigned long) png_get_user_width_max(dummy_ptr)); + fprintf(STDERR, " height_max = %lu\n", + (unsigned long) png_get_user_height_max(dummy_ptr)); + if (png_get_chunk_cache_max(dummy_ptr) == 0) + fprintf(STDERR, " cache_max = unlimited\n"); + else + fprintf(STDERR, " cache_max = %lu\n", + (unsigned long) png_get_chunk_cache_max(dummy_ptr)); + if (png_get_chunk_malloc_max(dummy_ptr) == 0) + fprintf(STDERR, " malloc_max = unlimited\n"); + else + fprintf(STDERR, " malloc_max = %lu\n", + (unsigned long) png_get_chunk_malloc_max(dummy_ptr)); + png_destroy_read_struct(&dummy_ptr, NULL, NULL); + return (int)(ierror != 0); } #else diff --git a/pngusr.dfa b/pngusr.dfa index 9d39564b5..83067c38c 100644 --- a/pngusr.dfa +++ b/pngusr.dfa @@ -8,7 +8,7 @@ # here by entering the appropriate values as #defines preceded by '@' (to cause, # them to be passed through to the build of pnglibconf.h), for example: # -# @# define PNG_USER_WIDTH_MAX 1000000 -# @# define PNG_USER_HEIGHT_MAX 1000000 -# @# define PNG_USER_CHUNK_CACHE_MAX 128 -# @# define PNG_USER_CHUNK_MALLOC_MAX 8000000 +# @# define PNG_USER_WIDTH_MAX 65535 +# @# define PNG_USER_HEIGHT_MAX 65535 +# @# define PNG_USER_CHUNK_CACHE_MAX 256 +# @# define PNG_USER_CHUNK_MALLOC_MAX 640000 diff --git a/scripts/pnglibconf.dfa b/scripts/pnglibconf.dfa index d98d27437..692fd5874 100644 --- a/scripts/pnglibconf.dfa +++ b/scripts/pnglibconf.dfa @@ -350,36 +350,15 @@ option USER_MEM option IO_STATE -# This is only for PowerPC big-endian and 680x0 systems -# some testing, not enabled by default. -# NO LONGER USED - -#option READ_BIG_ENDIAN disabled - -# Allow users to control limits on what the READ code will -# read: - -# Added at libpng-1.2.43; adds limit fields to png_struct, -# allows some usages of these fields - -option USER_LIMITS - -# Added at libpng-1.2.6; adds setting APIs, allows additional -# usage of this field (UTSL) - -option SET_USER_LIMITS requires USER_LIMITS - -# Feature added at libpng-1.4.0, this flag added at 1.4.1 -option SET_USER_LIMITS enables SET_CHUNK_CACHE_LIMIT -# Feature added at libpng-1.4.1, this flag added at 1.4.1 - -option SET_USER_LIMITS enables SET_CHUNK_MALLOC_LIMIT - -# Libpng limits. +# Libpng limits: limit the size of images and data on read. # -# If these settings are *not* set libpng will not limit the size of -# images or the size of data in ancilliary chunks. This does lead to -# security issues if PNG files come from untrusted sources. Settings have the +# If this option is disabled all the limit checking code will be disabled: + +option USER_LIMITS requires READ + +# The default settings given below for the limits mean that libpng will +# limit the size of images or the size of data in ancilliary chunks to less +# than the specification or implementation limits. Settings have the # following interpretations: # # USER_WIDTH_MAX: maximum width of an image that will be read @@ -389,17 +368,14 @@ option SET_USER_LIMITS enables SET_CHUNK_MALLOC_LIMIT # # Only chunks that are variable in number are counted towards the # USER_CHUNK_CACHE_MAX limit -setting USER_WIDTH_MAX -setting USER_HEIGHT_MAX -setting USER_CHUNK_CACHE_MAX -setting USER_CHUNK_MALLOC_MAX +setting USER_WIDTH_MAX default 1000000 /* Use 0x7fffffff for unlimited */ +setting USER_HEIGHT_MAX default 1000000 /* Use 0x7fffffff for unlimited */ +setting USER_CHUNK_CACHE_MAX default 1000 /* Use 0 for unlimited */ +setting USER_CHUNK_MALLOC_MAX default 8000000 /* Use 0 for unlimited */ -# To default all these settings to values that are large but probably -# safe turn the SAFE_LIMITS option on; this will cause the value in -# pngpriv.h to be used. Individual values can also be set, simply set -# them in pngusr.dfa with '@#define PNG_setting value' lines. -option SAFE_LIMITS enables USER_LIMITS disabled -= SAFE_LIMITS SAFE_LIMITS +# If this option is enabled APIs to set the above limits at run time are added; +# without this the hardwired (compile time) limits will be used. +option SET_USER_LIMITS requires USER_LIMITS # All of the following options relate to code capabilities for # processing image data before creating a PNG or after reading one. @@ -541,6 +517,7 @@ option USER_TRANSFORM_INFO if READ_USER_TRANSFORM, WRITE_USER_TRANSFORM # non-IDAT chunks (zTXt, iTXt, iCCP, and unknown chunks). This feature # was added at libpng-1.5.3. option WRITE_CUSTOMIZE_ZTXT_COMPRESSION requires WRITE +option WRITE_CUSTOMIZE_COMPRESSION requires WRITE # Any chunks you are not interested in, you can undef here. The # ones that allocate memory may be expecially important (hIST, diff --git a/scripts/pnglibconf.h.prebuilt b/scripts/pnglibconf.h.prebuilt index a6101a931..7a683d31b 100644 --- a/scripts/pnglibconf.h.prebuilt +++ b/scripts/pnglibconf.h.prebuilt @@ -2,7 +2,7 @@ /* pnglibconf.h - library build configuration */ -/* Libpng version 1.6.17beta03 - February 7, 2015 */ +/* Libpng version 1.6.17beta03 - February 17, 2015 */ /* Copyright (c) 1998-2014 Glenn Randers-Pehrson */ @@ -97,7 +97,6 @@ #define PNG_READ_tIME_SUPPORTED #define PNG_READ_tRNS_SUPPORTED #define PNG_READ_zTXt_SUPPORTED -/*#undef PNG_SAFE_LIMITS_SUPPORTED*/ #define PNG_SAVE_INT_32_SUPPORTED #define PNG_SAVE_UNKNOWN_CHUNKS_SUPPORTED #define PNG_SEQUENTIAL_READ_SUPPORTED @@ -129,6 +128,7 @@ #define PNG_WRITE_BGR_SUPPORTED #define PNG_WRITE_CHECK_FOR_INVALID_INDEX_SUPPORTED #define PNG_WRITE_COMPRESSED_TEXT_SUPPORTED +#define PNG_WRITE_CUSTOMIZE_COMPRESSION_SUPPORTED #define PNG_WRITE_CUSTOMIZE_ZTXT_COMPRESSION_SUPPORTED #define PNG_WRITE_FILLER_SUPPORTED #define PNG_WRITE_FILTER_SUPPORTED @@ -198,6 +198,10 @@ #define PNG_QUANTIZE_RED_BITS 5 #define PNG_TEXT_Z_DEFAULT_COMPRESSION (-1) #define PNG_TEXT_Z_DEFAULT_STRATEGY 0 +#define PNG_USER_CHUNK_CACHE_MAX 1000 /* Use 0 for unlimited */ +#define PNG_USER_CHUNK_MALLOC_MAX 8000000 /* Use 0 for unlimited */ +#define PNG_USER_HEIGHT_MAX 1000000 /* Use 0x7fffffff for unlimited */ +#define PNG_USER_WIDTH_MAX 1000000 /* Use 0x7fffffff for unlimited */ #define PNG_WEIGHT_SHIFT 8 #define PNG_ZBUF_SIZE 8192 #define PNG_ZLIB_VERNUM 0 /* unknown */