[libpng16] Reject attempt to write over-length PLTE chunk

This commit is contained in:
Glenn Randers-Pehrson 2015-10-29 09:26:41 -05:00
parent 9c7ed35a65
commit 81f44665cc
4 changed files with 17 additions and 4 deletions

View File

@ -5142,6 +5142,11 @@ It can be set for testing debug or beta builds to ensure that they will compile
when the build type is switched to RC or STABLE. In essence this overrides the when the build type is switched to RC or STABLE. In essence this overrides the
PNG_LIBPNG_BUILD_BASE_TYPE definition which is not directly user controllable. PNG_LIBPNG_BUILD_BASE_TYPE definition which is not directly user controllable.
Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
is an error. Previously this requirement of the PNG specification was not
enforced. Libpng continues to accept over-length PLTE chunks when reading,
but does not make any use of the extra entries.
XIII. Detecting libpng XIII. Detecting libpng
The png_get_io_ptr() function has been present since libpng-0.88, has never The png_get_io_ptr() function has been present since libpng-0.88, has never

View File

@ -5650,6 +5650,11 @@ It can be set for testing debug or beta builds to ensure that they will compile
when the build type is switched to RC or STABLE. In essence this overrides the when the build type is switched to RC or STABLE. In essence this overrides the
PNG_LIBPNG_BUILD_BASE_TYPE definition which is not directly user controllable. PNG_LIBPNG_BUILD_BASE_TYPE definition which is not directly user controllable.
Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
is an error. Previously this requirement of the PNG specification was not
enforced. Libpng continues to accept over-length PLTE chunks when reading,
but does not make any use of the extra entries.
.SH XIII. Detecting libpng .SH XIII. Detecting libpng
The png_get_io_ptr() function has been present since libpng-0.88, has never The png_get_io_ptr() function has been present since libpng-0.88, has never

View File

@ -1,7 +1,7 @@
/* pngwrite.c - general routines to write a PNG file /* pngwrite.c - general routines to write a PNG file
* *
* Last changed in libpng 1.6.18 [July 23, 2015] * Last changed in libpng 1.6.19 [(PENDING RELEASE)]
* Copyright (c) 1998-2015 Glenn Randers-Pehrson * Copyright (c) 1998-2015 Glenn Randers-Pehrson
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@ -206,7 +206,7 @@ png_write_info(png_structrp png_ptr, png_const_inforp info_ptr)
png_write_PLTE(png_ptr, info_ptr->palette, png_write_PLTE(png_ptr, info_ptr->palette,
(png_uint_32)info_ptr->num_palette); (png_uint_32)info_ptr->num_palette);
else if ((info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) !=0) else if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
png_error(png_ptr, "Valid palette required for paletted images"); png_error(png_ptr, "Valid palette required for paletted images");
#ifdef PNG_WRITE_tRNS_SUPPORTED #ifdef PNG_WRITE_tRNS_SUPPORTED

View File

@ -922,17 +922,20 @@ void /* PRIVATE */
png_write_PLTE(png_structrp png_ptr, png_const_colorp palette, png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
png_uint_32 num_pal) png_uint_32 num_pal)
{ {
png_uint_32 i; png_uint_32 max_num_pal, i;
png_const_colorp pal_ptr; png_const_colorp pal_ptr;
png_byte buf[3]; png_byte buf[3];
png_debug(1, "in png_write_PLTE"); png_debug(1, "in png_write_PLTE");
max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
(1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
if (( if ((
#ifdef PNG_MNG_FEATURES_SUPPORTED #ifdef PNG_MNG_FEATURES_SUPPORTED
(png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 && (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 &&
#endif #endif
num_pal == 0) || num_pal > 256) num_pal == 0) || num_pal > max_num_pal)
{ {
if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
{ {