cheng/libpng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[libpng16]Revised png_check_IHDR() to use PNG_SIZE_MAX instead of

Browse Source 
PNG_UINT_32_MAX in the test for potential overflow in PNG_ROWBYTES.
This commit is contained in:
Glenn Randers-Pehrson 2014-01-09 11:48:23 -06:00
parent bef206b0a8
commit 4ea97d8bc7
3 changed files with 13 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ANNOUNCE
View File

@ -1,5 +1,5 @@
Libpng 1.6.9beta03 - January 1, 2014 Libpng 1.6.9beta03 - January 10, 2014
This is not intended to be a public release. It will be replaced This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version. within a few weeks by a public version or by another test version.
@ -60,7 +60,9 @@ Version 1.6.9beta02 [January 1, 2014]
libpng17/png.h and libpng17.a). Three new configure options and some libpng17/png.h and libpng17.a). Three new configure options and some
rearrangement of Makefile.am allow creation of these links to be disabled. rearrangement of Makefile.am allow creation of these links to be disabled.
Version 1.6.9beta03 [January 1, 2014] Version 1.6.9beta03 [January 10, 2014]
Revised png_check_IHDR() to use PNG_SIZE_MAX instead of PNG_UINT_32_MAX
in the test for potential overflow in PNG_ROWBYTES.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

4
CHANGES
View File

@ -4785,7 +4785,9 @@ Version 1.6.9beta02 [January 1, 2014]
libpng17/png.h and libpng17.a). Three new configure options and some libpng17/png.h and libpng17.a). Three new configure options and some
rearrangement of Makefile.am allow creation of these links to be disabled. rearrangement of Makefile.am allow creation of these links to be disabled.
Version 1.6.9beta03 [January 1, 2014] Version 1.6.9beta03 [January 10, 2014]
Revised png_check_IHDR() to use PNG_SIZE_MAX instead of PNG_UINT_32_MAX
in the test for potential overflow in PNG_ROWBYTES.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

10
png.c
View File

@ -773,13 +773,13 @@ png_get_copyright(png_const_structrp png_ptr)
#else #else
# ifdef __STDC__ # ifdef __STDC__
return PNG_STRING_NEWLINE \ return PNG_STRING_NEWLINE \
"libpng version 1.6.9beta03 - January 8, 2014" PNG_STRING_NEWLINE \ "libpng version 1.6.9beta03 - January 10, 2014" PNG_STRING_NEWLINE \
"Copyright (c) 1998-2014 Glenn Randers-Pehrson" PNG_STRING_NEWLINE \ "Copyright (c) 1998-2014 Glenn Randers-Pehrson" PNG_STRING_NEWLINE \
"Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \ "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
"Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \ "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
PNG_STRING_NEWLINE; PNG_STRING_NEWLINE;
# else # else
return "libpng version 1.6.9beta03 - January 8, 2014\ return "libpng version 1.6.9beta03 - January 10, 2014\
Copyright (c) 1998-2014 Glenn Randers-Pehrson\ Copyright (c) 1998-2014 Glenn Randers-Pehrson\
Copyright (c) 1996-1997 Andreas Dilger\ Copyright (c) 1996-1997 Andreas Dilger\
Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc."; Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.";
@ -2473,12 +2473,14 @@ png_check_IHDR(png_const_structrp png_ptr,
error = 1; error = 1;
} }
if (error == 0 && width > (PNG_UINT_32_MAX /* Check for potential overflow in PNG_ROWBYTES calculation */
if (error == 0 && width > (PNG_SIZE_MAX
>> 3) /* 8-byte RGBA pixels */ >> 3) /* 8-byte RGBA pixels */
- 48 /* bigrowbuf hack */ - 48 /* bigrowbuf hack */
- 1 /* filter byte */ - 1 /* filter byte */
- 7*8 /* rounding of width to multiple of 8 pixels */ - 7*8 /* rounding of width to multiple of 8 pixels */
- 8) /* extra max_pixel_depth pad */ - 8 /* extra max_pixel_depth pad */
- error) /* to prevent always-false compiler warning */
png_warning(png_ptr, png_warning(png_ptr,
"Width may be too large for libpng to process pixels"); "Width may be too large for libpng to process pixels");