[libpng16] Increase minimum zlib stream from 9 to 14 in png_handle_iCCP(),

to account for the minimum 'deflate' stream.
This commit is contained in:
Glenn Randers-Pehrson 2017-08-06 07:59:02 -05:00
parent 39d84f4f6a
commit 8ed418b042
3 changed files with 9 additions and 4 deletions

View File

@ -89,6 +89,8 @@ Version 1.6.32beta11 [August 6, 2017]
Initialize profile_header[] in png_handle_iCCP() to fix OSS-fuzz issue. Initialize profile_header[] in png_handle_iCCP() to fix OSS-fuzz issue.
Initialize png_ptr->row_buf[0] to 255 in png_read_row() to fix OSS-fuzz UMR. Initialize png_ptr->row_buf[0] to 255 in png_read_row() to fix OSS-fuzz UMR.
Attempt to fix a UMR in png_set_text_2() to fix OSS-fuzz issue. Attempt to fix a UMR in png_set_text_2() to fix OSS-fuzz issue.
Increase minimum zlib stream from 9 to 14 in png_handle_iCCP(), to account
for the minimum 'deflate' stream.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

View File

@ -5972,6 +5972,8 @@ Version 1.6.32beta11 [August 6, 2017]
Initialize profile_header[] in png_handle_iCCP() to fix OSS-fuzz issue. Initialize profile_header[] in png_handle_iCCP() to fix OSS-fuzz issue.
Initialize png_ptr->row_buf[0] to 255 in png_read_row() to fix OSS-fuzz UMR. Initialize png_ptr->row_buf[0] to 255 in png_read_row() to fix OSS-fuzz UMR.
Attempt to fix a UMR in png_set_text_2() to fix OSS-fuzz issue. Attempt to fix a UMR in png_set_text_2() to fix OSS-fuzz issue.
Increase minimum zlib stream from 9 to 14 in png_handle_iCCP(), to account
for the minimum 'deflate' stream.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

View File

@ -1380,11 +1380,12 @@ png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
* chunk is just ignored, so does not invalidate the color space. An * chunk is just ignored, so does not invalidate the color space. An
* alternative is to set the 'invalid' flags at the start of this routine * alternative is to set the 'invalid' flags at the start of this routine
* and only clear them in they were not set before and all the tests pass. * and only clear them in they were not set before and all the tests pass.
* The minimum 'deflate' stream is assumed to be just the 2 byte header and * The minimum 'zlib' stream is assumed to be just the 2 byte header,
* 4 byte checksum. The keyword must be at least one character and there is * 5 bytes minimum 'deflate' stream, and the 4 byte checksum. The keyword
* a terminator (0) byte and the compression method. * must be at least one character and there is a terminator (0) byte and
* the compression method.
*/ */
if (length < 9) if (length < 14)
{ {
png_crc_finish(png_ptr, length); png_crc_finish(png_ptr, length);
png_chunk_benign_error(png_ptr, "too short"); png_chunk_benign_error(png_ptr, "too short");