From 6a6eb354ff4eda992e384d8847f31c61953d45ab Mon Sep 17 00:00:00 2001 From: John Bowler Date: Wed, 24 Dec 2014 18:54:08 -0600 Subject: [PATCH] [libpng16] Removed user limits from pngfix. Also pass NULL pointers to png_read_row to skip the unnecessary row de-interlace stuff. --- ANNOUNCE | 6 +++-- CHANGES | 4 +++- contrib/tools/pngfix.c | 53 ++++++++++++++++++++---------------------- 3 files changed, 32 insertions(+), 31 deletions(-) diff --git a/ANNOUNCE b/ANNOUNCE index 4a59d1e4e..f62790b57 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,4 +1,4 @@ -Libpng 1.6.17beta01 - December 23, 2014 +Libpng 1.6.17beta01 - December 25, 2014 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -25,9 +25,11 @@ Other information: Changes since the last public release (1.6.16): -Version 1.6.17beta01 [December 23, 2014] +Version 1.6.17beta01 [December 25, 2014] Removed duplicate PNG_SAFE_LIMITS_SUPPORTED handling from pngconf.h Corrected the width limit calculation in png_check_IHDR(). + Removed user limits from pngfix. Also pass NULL pointers to + png_read_row to skip the unnecessary row de-interlace stuff. Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/CHANGES b/CHANGES index fb7ffd796..a885b93a0 100644 --- a/CHANGES +++ b/CHANGES @@ -5125,9 +5125,11 @@ Version 1.6.16rc03 [December 21, 2014] Version 1.6.16 [December 22, 2014] No changes. -Version 1.6.17beta01 [December 23, 2014] +Version 1.6.17beta01 [December 25, 2014] Removed duplicate PNG_SAFE_LIMITS_SUPPORTED handling from pngconf.h Corrected the width limit calculation in png_check_IHDR(). + Removed user limits from pngfix. Also pass NULL pointers to + png_read_row to skip the unnecessary row de-interlace stuff. Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/contrib/tools/pngfix.c b/contrib/tools/pngfix.c index 65422f600..5b5d1888a 100644 --- a/contrib/tools/pngfix.c +++ b/contrib/tools/pngfix.c @@ -2,7 +2,7 @@ * * Copyright (c) 2014 John Cunningham Bowler * - * Last changed in libpng 1.6.14 [October 23, 2014] + * Last changed in libpng 1.6.17 [(PENDING RELEASE)] * * This code is released under the libpng license. * For conditions of distribution and use, see the disclaimer @@ -3577,10 +3577,9 @@ read_png(struct control *control) { png_structp png_ptr; png_infop info_ptr = NULL; - volatile png_bytep row = NULL, display = NULL; volatile int rc; - png_ptr = png_create_read_struct(png_get_libpng_ver(NULL), control, + png_ptr = png_create_read_struct(PNG_LIBPNG_VER_STRING, control, error_handler, warning_handler); if (png_ptr == NULL) @@ -3594,6 +3593,16 @@ read_png(struct control *control) rc = setjmp(control->file.jmpbuf); if (rc == 0) { +# ifdef PNG_SET_USER_LIMITS_SUPPORTED + /* Remove any limits on the size of PNG files that can be read, + * without this we may reject files based on built-in safety + * limits. + */ + png_set_user_limits(png_ptr, 0x7fffffff, 0x7fffffff); + png_set_chunk_cache_max(png_ptr, 0); + png_set_chunk_malloc_max(png_ptr, 0); +# endif + png_set_read_fn(png_ptr, control, read_callback); info_ptr = png_create_info_struct(png_ptr); @@ -3606,32 +3615,22 @@ read_png(struct control *control) png_read_info(png_ptr, info_ptr); { - png_size_t rowbytes = png_get_rowbytes(png_ptr, info_ptr); + png_uint_32 height = png_get_image_height(png_ptr, info_ptr); + int passes = png_set_interlace_handling(png_ptr); + int pass; - row = png_voidcast(png_byte*, malloc(rowbytes)); - display = png_voidcast(png_byte*, malloc(rowbytes)); + png_start_read_image(png_ptr); - if (row == NULL || display == NULL) - png_error(png_ptr, "OOM allocating row buffers"); + for (pass = 0; pass < passes; ++pass) + { + png_uint_32 y = height; - { - png_uint_32 height = png_get_image_height(png_ptr, info_ptr); - int passes = png_set_interlace_handling(png_ptr); - int pass; - - png_start_read_image(png_ptr); - - for (pass = 0; pass < passes; ++pass) - { - png_uint_32 y = height; - - /* NOTE: this trashes the row each time; interlace handling won't - * work, but this avoids memory thrashing for speed testing. - */ - while (y-- > 0) - png_read_row(png_ptr, row, display); - } - } + /* NOTE: this skips asking libpng to return either version of + * the image row, but libpng still reads the rows. + */ + while (y-- > 0) + png_read_row(png_ptr, NULL, NULL); + } } if (control->file.global->verbose) @@ -3642,8 +3641,6 @@ read_png(struct control *control) } png_destroy_read_struct(&png_ptr, &info_ptr, NULL); - if (row != NULL) free(row); - if (display != NULL) free(display); return rc; }