cheng/libpng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[libpng16] Eliminated PNG_SAFE_LIMITS macro and restored the 1-million-column

Browse Source 
and 1-million-row default limits in pnglibconf.dfa, that can be reset
by the user at build time or run time.  This provides a more robust
defense against DOS and as-yet undiscovered overflows.

Display user limits in the output from pngtest.
This commit is contained in:
Glenn Randers-Pehrson 2015-02-16 22:52:07 -06:00
parent 471b38aa00
commit 4b65a89cf4
7 changed files with 65 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
ANNOUNCE
View File

@ -1,4 +1,4 @@
Libpng 1.6.17beta03 - February 7, 2015 Libpng 1.6.17beta03 - February 17, 2015
This is not intended to be a public release. It will be replaced This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version. within a few weeks by a public version or by another test version.
@ -44,7 +44,12 @@ Version 1.6.17beta02 [February 7, 2015]
Work around one more Coverity-scan dead-code warning. Work around one more Coverity-scan dead-code warning.
Do not build png_product2() when it is unused. Do not build png_product2() when it is unused.
Version 1.6.17beta03 [February 7, 2015] Version 1.6.17beta03 [February 17, 2015]
Display user limits in the output from pngtest.
Eliminated the PNG_SAFE_LIMITS macro and restored the 1-million-column
and 1-million-row default limits in pnglibconf.dfa, that can be reset
by the user at build time or run time. This provides a more robust
defense against DOS and as-yet undiscovered overflows.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

7
CHANGES
View File

@ -5145,7 +5145,12 @@ Version 1.6.17beta02 [February 7, 2015]
Work around one more Coverity-scan dead-code warning. Work around one more Coverity-scan dead-code warning.
Do not build png_product2() when it is unused. Do not build png_product2() when it is unused.
Version 1.6.17beta03 [February 7, 2015] Version 1.6.17beta03 [February 17, 2015]
Display user limits in the output from pngtest.
Eliminated the PNG_SAFE_LIMITS macro and restored the 1-million-column
and 1-million-row default limits in pnglibconf.dfa, that can be reset
by the user at build time or run time. This provides a more robust
defense against DOS and as-yet undiscovered overflows.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

43
pngpriv.h
View File

@ -300,46 +300,9 @@
/* SECURITY and SAFETY: /* SECURITY and SAFETY:
* *
* By default libpng is built without any internal limits on image size, * libpng is built with support for internal limits on image dimensions and
* individual heap (png_malloc) allocations or the total amount of memory used. * memory usage. These are documented in scripts/pnglibconf.dfa of the
* If PNG_SAFE_LIMITS_SUPPORTED is defined, however, the limits below are used * source and recorded in the machine generated header file pnglibconf.h.
* (unless individually overridden). These limits are believed to be fairly
* safe, but builders of secure systems should verify the values against the
* real system capabilities.
*/
#ifdef PNG_SAFE_LIMITS_SUPPORTED
/* 'safe' limits */
# ifndef PNG_USER_WIDTH_MAX
# define PNG_USER_WIDTH_MAX 1000000
# endif
# ifndef PNG_USER_HEIGHT_MAX
# define PNG_USER_HEIGHT_MAX 1000000
# endif
# ifndef PNG_USER_CHUNK_CACHE_MAX
# define PNG_USER_CHUNK_CACHE_MAX 128
# endif
# ifndef PNG_USER_CHUNK_MALLOC_MAX
# define PNG_USER_CHUNK_MALLOC_MAX 8000000
# endif
#else
/* values for no limits */
# ifndef PNG_USER_WIDTH_MAX
# define PNG_USER_WIDTH_MAX 0x7fffffff
# endif
# ifndef PNG_USER_HEIGHT_MAX
# define PNG_USER_HEIGHT_MAX 0x7fffffff
# endif
# ifndef PNG_USER_CHUNK_CACHE_MAX
# define PNG_USER_CHUNK_CACHE_MAX 0
# endif
# ifndef PNG_USER_CHUNK_MALLOC_MAX
# define PNG_USER_CHUNK_MALLOC_MAX 0
# endif
#endif
/* Moved to pngpriv.h at libpng-1.5.0 */
/* NOTE: some of these may have been used in external applications as
* these definitions were exposed in pngconf.h prior to 1.5.
*/ */
/* If you are running on a machine where you cannot allocate more /* If you are running on a machine where you cannot allocate more

26
pngtest.c
View File

@ -377,7 +377,7 @@ pngtest_read_data(png_structp png_ptr, png_bytep data, png_size_t length)
io_ptr = png_get_io_ptr(png_ptr); io_ptr = png_get_io_ptr(png_ptr);
if (io_ptr != NULL) if (io_ptr != NULL)
{ {
check = fread(data, (sizeof (png_byte)), length, (png_FILE_p)io_ptr); check = fread(data, 1, length, (png_FILE_p)io_ptr);
} }
if (check != length) if (check != length)
@ -1610,8 +1610,8 @@ test_one_file(PNG_CONST char *inname, PNG_CONST char *outname)
png_size_t num_in, num_out; png_size_t num_in, num_out;
char inbuf[256], outbuf[256]; char inbuf[256], outbuf[256];
num_in = fread(inbuf, 1, (sizeof inbuf), fpin); num_in = fread(inbuf, 1, sizeof inbuf, fpin);
num_out = fread(outbuf, 1, (sizeof outbuf), fpout); num_out = fread(outbuf, 1, sizeof outbuf, fpout);
if (num_in != num_out) if (num_in != num_out)
{ {
@ -1701,6 +1701,8 @@ main(int argc, char *argv[])
int multiple = 0; int multiple = 0;
int ierror = 0; int ierror = 0;
png_structp dummy_ptr;
fprintf(STDERR, "\n Testing libpng version %s\n", PNG_LIBPNG_VER_STRING); fprintf(STDERR, "\n Testing libpng version %s\n", PNG_LIBPNG_VER_STRING);
fprintf(STDERR, " with zlib version %s\n", ZLIB_VERSION); fprintf(STDERR, " with zlib version %s\n", ZLIB_VERSION);
fprintf(STDERR, "%s", png_get_copyright(NULL)); fprintf(STDERR, "%s", png_get_copyright(NULL));
@ -1994,6 +1996,24 @@ main(int argc, char *argv[])
else else
fprintf(STDERR, " libpng FAILS test\n"); fprintf(STDERR, " libpng FAILS test\n");
dummy_ptr = png_create_read_struct(PNG_LIBPNG_VER_STRING, NULL, NULL, NULL);
fprintf(STDERR, " Default limits:\n");
fprintf(STDERR, " width_max = %lu\n",
(unsigned long) png_get_user_width_max(dummy_ptr));
fprintf(STDERR, " height_max = %lu\n",
(unsigned long) png_get_user_height_max(dummy_ptr));
if (png_get_chunk_cache_max(dummy_ptr) == 0)
fprintf(STDERR, " cache_max = unlimited\n");
else
fprintf(STDERR, " cache_max = %lu\n",
(unsigned long) png_get_chunk_cache_max(dummy_ptr));
if (png_get_chunk_malloc_max(dummy_ptr) == 0)
fprintf(STDERR, " malloc_max = unlimited\n");
else
fprintf(STDERR, " malloc_max = %lu\n",
(unsigned long) png_get_chunk_malloc_max(dummy_ptr));
png_destroy_read_struct(&dummy_ptr, NULL, NULL);
return (int)(ierror != 0); return (int)(ierror != 0);
} }
#else #else

8
pngusr.dfa
View File

@ -8,7 +8,7 @@
# here by entering the appropriate values as #defines preceded by '@' (to cause, # here by entering the appropriate values as #defines preceded by '@' (to cause,
# them to be passed through to the build of pnglibconf.h), for example: # them to be passed through to the build of pnglibconf.h), for example:
# #
# @# define PNG_USER_WIDTH_MAX 1000000 # @# define PNG_USER_WIDTH_MAX 65535
# @# define PNG_USER_HEIGHT_MAX 1000000 # @# define PNG_USER_HEIGHT_MAX 65535
# @# define PNG_USER_CHUNK_CACHE_MAX 128 # @# define PNG_USER_CHUNK_CACHE_MAX 256
# @# define PNG_USER_CHUNK_MALLOC_MAX 8000000 # @# define PNG_USER_CHUNK_MALLOC_MAX 640000

55
scripts/pnglibconf.dfa
View File

@ -350,36 +350,15 @@ option USER_MEM
option IO_STATE option IO_STATE
# This is only for PowerPC big-endian and 680x0 systems # Libpng limits: limit the size of images and data on read.
# some testing, not enabled by default.
# NO LONGER USED
#option READ_BIG_ENDIAN disabled
# Allow users to control limits on what the READ code will
# read:
# Added at libpng-1.2.43; adds limit fields to png_struct,
# allows some usages of these fields
option USER_LIMITS
# Added at libpng-1.2.6; adds setting APIs, allows additional
# usage of this field (UTSL)
option SET_USER_LIMITS requires USER_LIMITS
# Feature added at libpng-1.4.0, this flag added at 1.4.1
option SET_USER_LIMITS enables SET_CHUNK_CACHE_LIMIT
# Feature added at libpng-1.4.1, this flag added at 1.4.1
option SET_USER_LIMITS enables SET_CHUNK_MALLOC_LIMIT
# Libpng limits.
# #
# If these settings are *not* set libpng will not limit the size of # If this option is disabled all the limit checking code will be disabled:
# images or the size of data in ancilliary chunks. This does lead to
# security issues if PNG files come from untrusted sources. Settings have the option USER_LIMITS requires READ
# The default settings given below for the limits mean that libpng will
# limit the size of images or the size of data in ancilliary chunks to less
# than the specification or implementation limits. Settings have the
# following interpretations: # following interpretations:
# #
# USER_WIDTH_MAX: maximum width of an image that will be read # USER_WIDTH_MAX: maximum width of an image that will be read
@ -389,17 +368,14 @@ option SET_USER_LIMITS enables SET_CHUNK_MALLOC_LIMIT
# #
# Only chunks that are variable in number are counted towards the # Only chunks that are variable in number are counted towards the
# USER_CHUNK_CACHE_MAX limit # USER_CHUNK_CACHE_MAX limit
setting USER_WIDTH_MAX setting USER_WIDTH_MAX default 1000000 /* Use 0x7fffffff for unlimited */
setting USER_HEIGHT_MAX setting USER_HEIGHT_MAX default 1000000 /* Use 0x7fffffff for unlimited */
setting USER_CHUNK_CACHE_MAX setting USER_CHUNK_CACHE_MAX default 1000 /* Use 0 for unlimited */
setting USER_CHUNK_MALLOC_MAX setting USER_CHUNK_MALLOC_MAX default 8000000 /* Use 0 for unlimited */
# To default all these settings to values that are large but probably # If this option is enabled APIs to set the above limits at run time are added;
# safe turn the SAFE_LIMITS option on; this will cause the value in # without this the hardwired (compile time) limits will be used.
# pngpriv.h to be used. Individual values can also be set, simply set option SET_USER_LIMITS requires USER_LIMITS
# them in pngusr.dfa with '@#define PNG_setting value' lines.
option SAFE_LIMITS enables USER_LIMITS disabled
= SAFE_LIMITS SAFE_LIMITS
# All of the following options relate to code capabilities for # All of the following options relate to code capabilities for
# processing image data before creating a PNG or after reading one. # processing image data before creating a PNG or after reading one.
@ -541,6 +517,7 @@ option USER_TRANSFORM_INFO if READ_USER_TRANSFORM, WRITE_USER_TRANSFORM
# non-IDAT chunks (zTXt, iTXt, iCCP, and unknown chunks). This feature # non-IDAT chunks (zTXt, iTXt, iCCP, and unknown chunks). This feature
# was added at libpng-1.5.3. # was added at libpng-1.5.3.
option WRITE_CUSTOMIZE_ZTXT_COMPRESSION requires WRITE option WRITE_CUSTOMIZE_ZTXT_COMPRESSION requires WRITE
option WRITE_CUSTOMIZE_COMPRESSION requires WRITE
# Any chunks you are not interested in, you can undef here. The # Any chunks you are not interested in, you can undef here. The
# ones that allocate memory may be expecially important (hIST, # ones that allocate memory may be expecially important (hIST,

8
scripts/pnglibconf.h.prebuilt
View File

@ -2,7 +2,7 @@
/* pnglibconf.h - library build configuration */ /* pnglibconf.h - library build configuration */
/* Libpng version 1.6.17beta03 - February 7, 2015 */ /* Libpng version 1.6.17beta03 - February 17, 2015 */
/* Copyright (c) 1998-2014 Glenn Randers-Pehrson */ /* Copyright (c) 1998-2014 Glenn Randers-Pehrson */
@ -97,7 +97,6 @@
#define PNG_READ_tIME_SUPPORTED #define PNG_READ_tIME_SUPPORTED
#define PNG_READ_tRNS_SUPPORTED #define PNG_READ_tRNS_SUPPORTED
#define PNG_READ_zTXt_SUPPORTED #define PNG_READ_zTXt_SUPPORTED
/*#undef PNG_SAFE_LIMITS_SUPPORTED*/
#define PNG_SAVE_INT_32_SUPPORTED #define PNG_SAVE_INT_32_SUPPORTED
#define PNG_SAVE_UNKNOWN_CHUNKS_SUPPORTED #define PNG_SAVE_UNKNOWN_CHUNKS_SUPPORTED
#define PNG_SEQUENTIAL_READ_SUPPORTED #define PNG_SEQUENTIAL_READ_SUPPORTED
@ -129,6 +128,7 @@
#define PNG_WRITE_BGR_SUPPORTED #define PNG_WRITE_BGR_SUPPORTED
#define PNG_WRITE_CHECK_FOR_INVALID_INDEX_SUPPORTED #define PNG_WRITE_CHECK_FOR_INVALID_INDEX_SUPPORTED
#define PNG_WRITE_COMPRESSED_TEXT_SUPPORTED #define PNG_WRITE_COMPRESSED_TEXT_SUPPORTED
#define PNG_WRITE_CUSTOMIZE_COMPRESSION_SUPPORTED
#define PNG_WRITE_CUSTOMIZE_ZTXT_COMPRESSION_SUPPORTED #define PNG_WRITE_CUSTOMIZE_ZTXT_COMPRESSION_SUPPORTED
#define PNG_WRITE_FILLER_SUPPORTED #define PNG_WRITE_FILLER_SUPPORTED
#define PNG_WRITE_FILTER_SUPPORTED #define PNG_WRITE_FILTER_SUPPORTED
@ -198,6 +198,10 @@
#define PNG_QUANTIZE_RED_BITS 5 #define PNG_QUANTIZE_RED_BITS 5
#define PNG_TEXT_Z_DEFAULT_COMPRESSION (-1) #define PNG_TEXT_Z_DEFAULT_COMPRESSION (-1)
#define PNG_TEXT_Z_DEFAULT_STRATEGY 0 #define PNG_TEXT_Z_DEFAULT_STRATEGY 0
#define PNG_USER_CHUNK_CACHE_MAX 1000 /* Use 0 for unlimited */
#define PNG_USER_CHUNK_MALLOC_MAX 8000000 /* Use 0 for unlimited */
#define PNG_USER_HEIGHT_MAX 1000000 /* Use 0x7fffffff for unlimited */
#define PNG_USER_WIDTH_MAX 1000000 /* Use 0x7fffffff for unlimited */
#define PNG_WEIGHT_SHIFT 8 #define PNG_WEIGHT_SHIFT 8
#define PNG_ZBUF_SIZE 8192 #define PNG_ZBUF_SIZE 8192
#define PNG_ZLIB_VERNUM 0 /* unknown */ #define PNG_ZLIB_VERNUM 0 /* unknown */