diff --git a/ANNOUNCE b/ANNOUNCE index d56aeff55..01fe0cc0d 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -89,6 +89,8 @@ Version 1.6.32beta11 [August 6, 2017] Initialize profile_header[] in png_handle_iCCP() to fix OSS-fuzz issue. Initialize png_ptr->row_buf[0] to 255 in png_read_row() to fix OSS-fuzz UMR. Attempt to fix a UMR in png_set_text_2() to fix OSS-fuzz issue. + Increase minimum zlib stream from 9 to 14 in png_handle_iCCP(), to account + for the minimum 'deflate' stream. Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/CHANGES b/CHANGES index 3abb11cff..d21659bb6 100644 --- a/CHANGES +++ b/CHANGES @@ -5972,6 +5972,8 @@ Version 1.6.32beta11 [August 6, 2017] Initialize profile_header[] in png_handle_iCCP() to fix OSS-fuzz issue. Initialize png_ptr->row_buf[0] to 255 in png_read_row() to fix OSS-fuzz UMR. Attempt to fix a UMR in png_set_text_2() to fix OSS-fuzz issue. + Increase minimum zlib stream from 9 to 14 in png_handle_iCCP(), to account + for the minimum 'deflate' stream. Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/pngrutil.c b/pngrutil.c index 6c6a39a35..8656fa5b5 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -1380,11 +1380,12 @@ png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) * chunk is just ignored, so does not invalidate the color space. An * alternative is to set the 'invalid' flags at the start of this routine * and only clear them in they were not set before and all the tests pass. - * The minimum 'deflate' stream is assumed to be just the 2 byte header and - * 4 byte checksum. The keyword must be at least one character and there is - * a terminator (0) byte and the compression method. + * The minimum 'zlib' stream is assumed to be just the 2 byte header, + * 5 bytes minimum 'deflate' stream, and the 4 byte checksum. The keyword + * must be at least one character and there is a terminator (0) byte and + * the compression method. */ - if (length < 9) + if (length < 14) { png_crc_finish(png_ptr, length); png_chunk_benign_error(png_ptr, "too short");