diff --git a/ANNOUNCE b/ANNOUNCE index bef84dc7c..c76da0d90 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -346,7 +346,8 @@ Version 1.6.0beta20 [March 29, 2012] Recognize known sRGB ICC profiles while reading; prefer writing the iCCP profile over writing the sRGB chunk, controlled by the PNG_sRGB_PROFILE_CHECKS option. - Revised png_set_text_2() to avoid potential memory corruption. + Revised png_set_text_2() to avoid potential memory corruption (fixes + CVE-2011-3048). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/CHANGES b/CHANGES index 973209240..aaf48c9ad 100644 --- a/CHANGES +++ b/CHANGES @@ -4097,7 +4097,8 @@ Version 1.6.0beta20 [March 29, 2012] Recognize known sRGB ICC profiles while reading; prefer writing the iCCP profile over writing the sRGB chunk, controlled by the PNG_sRGB_PROFILE_CHECKS option. - Revised png_set_text_2() to avoid a potential memory corruption. + Revised png_set_text_2() to avoid potential memory corruption (fixes + CVE-2011-3048). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/LICENSE b/LICENSE index 2d5fa7c76..c4dc83528 100644 --- a/LICENSE +++ b/LICENSE @@ -10,7 +10,7 @@ this sentence. This code is released under the libpng license. -libpng versions 1.2.6, August 15, 2004, through 1.6.0beta20, March 19, 2012, are +libpng versions 1.2.6, August 15, 2004, through 1.6.0beta20, March 29, 2012, are Copyright (c) 2004, 2006-2011 Glenn Randers-Pehrson, and are distributed according to the same disclaimer and license as libpng-1.2.5 with the following individual added to the list of Contributing Authors @@ -108,4 +108,4 @@ certification mark of the Open Source Initiative. Glenn Randers-Pehrson glennrp at users.sourceforge.net -March 19, 2012 +March 29, 2012 diff --git a/README b/README index 86f689a1b..98e42e832 100644 --- a/README +++ b/README @@ -1,4 +1,4 @@ -README for libpng version 1.6.0beta20 - March 19, 2012 (shared library 16.0) +README for libpng version 1.6.0beta20 - March 29, 2012 (shared library 16.0) See the note about version numbers near the top of png.h See INSTALL for instructions on how to install libpng. diff --git a/contrib/libtests/makepng.c b/contrib/libtests/makepng.c index b1a2ef830..a0bfb4bae 100644 --- a/contrib/libtests/makepng.c +++ b/contrib/libtests/makepng.c @@ -417,6 +417,8 @@ write_png(FILE *fp, int color_type, int bit_depth, return 1; } + /* Allow benign errors so that we can write PNGs with errors */ + png_set_benign_errors(png_ptr, 1/*allowed*/); png_init_io(png_ptr, fp); info_ptr = png_create_info_struct(png_ptr); diff --git a/contrib/tools/checksum-icc.c b/contrib/tools/checksum-icc.c index b7f51d1ae..74b3c3f03 100644 --- a/contrib/tools/checksum-icc.c +++ b/contrib/tools/checksum-icc.c @@ -44,17 +44,18 @@ read_one_file(FILE *ip, const char *name) return 0; /* Success */ - printf("{ 0x%8.8lx, 0x%8.8lx, " - "0x%2.2x%2.2x%2.2x%2.2x, 0x%2.2x%2.2x%2.2x%2.2x, " - "0x%2.2x%2.2x%2.2x%2.2x, 0x%2.2x%2.2x%2.2x%2.2x,\n" - " \"%4.4d/%2.2d/%2.2d %2.2d:%2.2d:%2.2d\", %lu, \"%s\" },\n", + printf("PNG_ICC_CHECKSUM(0x%8.8lx, 0x%8.8lx,\n PNG_MD5(" + "0x%2.2x%2.2x%2.2x%2.2x, 0x%2.2x%2.2x%2.2x%2.2x, 0x%2.2x%2.2x%2.2x%2.2x," + " 0x%2.2x%2.2x%2.2x%2.2x), %d,\n" + " \"%4.4d/%2.2d/%2.2d %2.2d:%2.2d:%2.2d\", %lu, \"%s\")\n", (unsigned long)a32, (unsigned long)c32, header[84], header[85], header[86], header[87], header[88], header[89], header[90], header[91], header[92], header[93], header[94], header[95], header[96], header[97], header[98], header[99], # define u16(x) (header[x] * 256 + header[x+1]) - u16(24), u16(26), u16(28), u16(30), u16(32), u16(34), +# define u32(x) (u16(x) * 65536 + u16(x+2)) + u32(64), u16(24), u16(26), u16(28), u16(30), u16(32), u16(34), (unsigned long)length, name); return 1; @@ -64,8 +65,7 @@ int main(int argc, char **argv) { int err = 0; - printf("= {\n/* adler32 crc32 MD5\n" - " date length name */\n"); + printf("/* adler32, crc32, MD5[16], intent, date, length, file-name */\n"); if (argc > 1) { @@ -80,7 +80,7 @@ int main(int argc, char **argv) err = 1; perror(argv[i]); fprintf(stderr, "%s: read error\n", argv[i]); - printf(" { 0, 0, 0, /* ERROR: */, \"%s\" },\n", argv[i]); + printf("/* ERROR: %s */\n", argv[i]); } (void)fclose(ip); @@ -94,11 +94,9 @@ int main(int argc, char **argv) err = 1; perror("stdin"); fprintf(stderr, "stdin: read error\n"); - printf(" { 0, 0, 0, /* ERROR: */, \"-\" },\n"); + printf("/* ERROR: stdin */\n"); } } - printf("};\n"); - return err; } diff --git a/libpng-manual.txt b/libpng-manual.txt index 60096397a..2a5a0efb0 100644 --- a/libpng-manual.txt +++ b/libpng-manual.txt @@ -1,6 +1,6 @@ libpng-manual.txt - A description on how to use and modify libpng - libpng version 1.6.0beta20 - March 19, 2012 + libpng version 1.6.0beta20 - March 29, 2012 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2011 Glenn Randers-Pehrson @@ -11,7 +11,7 @@ libpng-manual.txt - A description on how to use and modify libpng Based on: - libpng versions 0.97, January 1998, through 1.6.0beta20 - March 19, 2012 + libpng versions 0.97, January 1998, through 1.6.0beta20 - March 29, 2012 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2011 Glenn Randers-Pehrson @@ -5003,7 +5003,7 @@ Other rules can be inferred by inspecting the libpng source. XVI. Y2K Compliance in libpng -March 19, 2012 +March 29, 2012 Since the PNG Development group is an ad-hoc body, we can't make an official declaration. diff --git a/libpng.3 b/libpng.3 index 9e4485946..e91972341 100644 --- a/libpng.3 +++ b/libpng.3 @@ -1,4 +1,4 @@ -.TH LIBPNG 3 "March 19, 2012" +.TH LIBPNG 3 "March 29, 2012" .SH NAME libpng \- Portable Network Graphics (PNG) Reference Library 1.6.0beta20 .SH SYNOPSIS @@ -1007,7 +1007,7 @@ Following is a copy of the libpng-manual.txt file that accompanies libpng. .SH LIBPNG.TXT libpng-manual.txt - A description on how to use and modify libpng - libpng version 1.6.0beta20 - March 19, 2012 + libpng version 1.6.0beta20 - March 29, 2012 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2011 Glenn Randers-Pehrson @@ -1018,7 +1018,7 @@ libpng-manual.txt - A description on how to use and modify libpng Based on: - libpng versions 0.97, January 1998, through 1.6.0beta20 - March 19, 2012 + libpng versions 0.97, January 1998, through 1.6.0beta20 - March 29, 2012 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2011 Glenn Randers-Pehrson @@ -6011,7 +6011,7 @@ Other rules can be inferred by inspecting the libpng source. .SH XVI. Y2K Compliance in libpng -March 19, 2012 +March 29, 2012 Since the PNG Development group is an ad-hoc body, we can't make an official declaration. @@ -6279,7 +6279,7 @@ possible without all of you. Thanks to Frank J. T. Wojcik for helping with the documentation. -Libpng version 1.6.0beta20 - March 19, 2012: +Libpng version 1.6.0beta20 - March 29, 2012: Initially created in 1995 by Guy Eric Schalnat, then of Group 42, Inc. Currently maintained by Glenn Randers-Pehrson (glennrp at users.sourceforge.net). @@ -6302,7 +6302,7 @@ this sentence. This code is released under the libpng license. -libpng versions 1.2.6, August 15, 2004, through 1.6.0beta20, March 19, 2012, are +libpng versions 1.2.6, August 15, 2004, through 1.6.0beta20, March 29, 2012, are Copyright (c) 2004,2006-2007 Glenn Randers-Pehrson, and are distributed according to the same disclaimer and license as libpng-1.2.5 with the following individual added to the list of Contributing Authors @@ -6401,7 +6401,7 @@ certification mark of the Open Source Initiative. Glenn Randers-Pehrson glennrp at users.sourceforge.net -March 19, 2012 +March 29, 2012 .\" end of man page diff --git a/libpngpf.3 b/libpngpf.3 index 003d1554b..4a18df656 100644 --- a/libpngpf.3 +++ b/libpngpf.3 @@ -1,4 +1,4 @@ -.TH LIBPNGPF 3 "March 19, 2012" +.TH LIBPNGPF 3 "March 29, 2012" .SH NAME libpng \- Portable Network Graphics (PNG) Reference Library 1.6.0beta20 (private functions) diff --git a/png.5 b/png.5 index 82f16caa8..34f0e5908 100644 --- a/png.5 +++ b/png.5 @@ -1,4 +1,4 @@ -.TH PNG 5 "March 19, 2012" +.TH PNG 5 "March 29, 2012" .SH NAME png \- Portable Network Graphics (PNG) format .SH DESCRIPTION diff --git a/png.c b/png.c index e44e9391a..e25280914 100644 --- a/png.c +++ b/png.c @@ -2025,8 +2025,8 @@ static const struct "1998/02/09 06:49:00", 3144, "sRGB Profile.icc") PNG_ICC_CHECKSUM(0x0398f3fcUL, 0xf29e526dUL, - PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 0, - "unknown", 3144, "HP-Microsoft sRGB v2 perceptual") + PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, + "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 media-relative") }; static int diff --git a/png.h b/png.h index ebf9827c7..2f933819e 100644 --- a/png.h +++ b/png.h @@ -1,7 +1,7 @@ /* png.h - header file for PNG reference library * - * libpng version 1.6.0beta20 - March 21, 2012 + * libpng version 1.6.0beta20 - March 29, 2012 * Copyright (c) 1998-2012 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) @@ -11,7 +11,7 @@ * Authors and maintainers: * libpng versions 0.71, May 1995, through 0.88, January 1996: Guy Schalnat * libpng versions 0.89c, June 1996, through 0.96, May 1997: Andreas Dilger - * libpng versions 0.97, January 1998, through 1.6.0beta20 - March 21, 2012: Glenn + * libpng versions 0.97, January 1998, through 1.6.0beta20 - March 29, 2012: Glenn * See also "Contributing Authors", below. * * Note about libpng version numbers: @@ -198,7 +198,7 @@ * * This code is released under the libpng license. * - * libpng versions 1.2.6, August 15, 2004, through 1.6.0beta20, March 21, 2012, are + * libpng versions 1.2.6, August 15, 2004, through 1.6.0beta20, March 29, 2012, are * Copyright (c) 2004, 2006-2012 Glenn Randers-Pehrson, and are * distributed according to the same disclaimer and license as libpng-1.2.5 * with the following individual added to the list of Contributing Authors: @@ -310,7 +310,7 @@ * Y2K compliance in libpng: * ========================= * - * March 21, 2012 + * March 29, 2012 * * Since the PNG Development group is an ad-hoc body, we can't make * an official declaration. @@ -376,7 +376,7 @@ /* Version information for png.h - this should match the version in png.c */ #define PNG_LIBPNG_VER_STRING "1.6.0beta20" #define PNG_HEADER_VERSION_STRING \ - " libpng version 1.6.0beta20 - March 21, 2012\n" + " libpng version 1.6.0beta20 - March 29, 2012\n" #define PNG_LIBPNG_VER_SONUM 16 #define PNG_LIBPNG_VER_DLLNUM 16 diff --git a/pngconf.h b/pngconf.h index c97be31f4..05d546989 100644 --- a/pngconf.h +++ b/pngconf.h @@ -1,7 +1,7 @@ /* pngconf.h - machine configurable file for libpng * - * libpng version 1.6.0beta20 - March 21, 2012 + * libpng version 1.6.0beta20 - March 29, 2012 * * Copyright (c) 1998-2012 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) diff --git a/pngset.c b/pngset.c index ead9817ad..fb950af21 100644 --- a/pngset.c +++ b/pngset.c @@ -722,24 +722,28 @@ png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr, */ if (info_ptr->num_text + num_text > info_ptr->max_text) { + int old_max_text = info_ptr->max_text; + int old_num_text = info_ptr->num_text; + if (info_ptr->text != NULL) { png_textp old_text; - int old_max; - old_max = info_ptr->max_text; info_ptr->max_text = info_ptr->num_text + num_text + 8; old_text = info_ptr->text; + info_ptr->text = (png_textp)png_malloc_warn(png_ptr, (png_size_t)(info_ptr->max_text * png_sizeof(png_text))); if (info_ptr->text == NULL) { - png_free(png_ptr, old_text); + /* Restore to previous condition */ + info_ptr->max_text = old_max_text; + info_ptr->text = old_text; return(1); } - png_memcpy(info_ptr->text, old_text, (png_size_t)(old_max * + png_memcpy(info_ptr->text, old_text, (png_size_t)(old_max_text * png_sizeof(png_text))); png_free(png_ptr, old_text); } @@ -751,7 +755,12 @@ png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr, info_ptr->text = (png_textp)png_malloc_warn(png_ptr, (png_size_t)(info_ptr->max_text * png_sizeof(png_text))); if (info_ptr->text == NULL) + { + /* Restore to previous condition */ + info_ptr->num_text = old_num_text; + info_ptr->max_text = old_max_text; return(1); + } info_ptr->free_me |= PNG_FREE_TEXT; } diff --git a/projects/vstudio/readme.txt b/projects/vstudio/readme.txt index 452fcb5e4..98d8607df 100644 --- a/projects/vstudio/readme.txt +++ b/projects/vstudio/readme.txt @@ -1,7 +1,7 @@ VisualStudio instructions -libpng version 1.6.0beta20 - March 19, 2012 +libpng version 1.6.0beta20 - March 29, 2012 Copyright (c) 1998-2010 Glenn Randers-Pehrson diff --git a/projects/vstudio/zlib.props b/projects/vstudio/zlib.props index 7519cb907..89ab97b7d 100644 --- a/projects/vstudio/zlib.props +++ b/projects/vstudio/zlib.props @@ -2,7 +2,7 @@