[libpng16] Prevent reading over-length PLTE chunk (Cosmin Truta).
This commit is contained in:
Glenn Randers-Pehrson
parent
06509be841
commit
a901eb3ce6
6
ANNOUNCE
6
ANNOUNCE
@ -1,4 +1,4 @@
|
||||
Libpng 1.6.19rc02 - October 29, 2015
|
||||
Libpng 1.6.19rc02 - October 30, 2015
|
||||
|
||||
This is not intended to be a public release. It will be replaced
|
||||
within a few weeks by a public version or by another test version.
|
||||
@ -106,8 +106,8 @@ Version 1.6.19beta04 [October 15, 2015]
|
||||
Version 1.6.19rc01 [October 23, 2015]
|
||||
No changes.
|
||||
|
||||
Version 1.6.19rc02 [October 29, 2015]
|
||||
Prevent writing over-length PLTE chunk (Cosmin Truta).
|
||||
Version 1.6.19rc02 [October 30, 2015]
|
||||
Prevent reading or writing over-length PLTE chunk (Cosmin Truta).
|
||||
|
||||
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
|
||||
(subscription required; visit
|
||||
|
||||
4
CHANGES
4
CHANGES
@ -5391,8 +5391,8 @@ Version 1.6.19beta04 [October 15, 2015]
|
||||
Version 1.6.19rc01 [October 23, 2015]
|
||||
No changes.
|
||||
|
||||
Version 1.6.19rc02 [October 29, 2015]
|
||||
Prevent writing over-length PLTE chunk (Cosmin Truta).
|
||||
Version 1.6.19rc02 [October 30, 2015]
|
||||
Prevent reading or writing over-length PLTE chunk (Cosmin Truta).
|
||||
|
||||
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
|
||||
(subscription required; visit
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
libpng-manual.txt - A description on how to use and modify libpng
|
||||
|
||||
libpng version 1.6.19rc02 - October 29, 2015
|
||||
libpng version 1.6.19rc02 - October 30, 2015
|
||||
Updated and distributed by Glenn Randers-Pehrson
|
||||
<glennrp at users.sourceforge.net>
|
||||
Copyright (c) 1998-2015 Glenn Randers-Pehrson
|
||||
@ -11,7 +11,7 @@ libpng-manual.txt - A description on how to use and modify libpng
|
||||
|
||||
Based on:
|
||||
|
||||
libpng versions 0.97, January 1998, through 1.6.19rc02 - October 29, 2015
|
||||
libpng versions 0.97, January 1998, through 1.6.19rc02 - October 30, 2015
|
||||
Updated and distributed by Glenn Randers-Pehrson
|
||||
Copyright (c) 1998-2015 Glenn Randers-Pehrson
|
||||
|
||||
@ -5142,10 +5142,9 @@ It can be set for testing debug or beta builds to ensure that they will compile
|
||||
when the build type is switched to RC or STABLE. In essence this overrides the
|
||||
PNG_LIBPNG_BUILD_BASE_TYPE definition which is not directly user controllable.
|
||||
|
||||
Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
|
||||
Starting with libpng-1.6.19, attempting to set an over-length PLTE chunk
|
||||
is an error. Previously this requirement of the PNG specification was not
|
||||
enforced. Libpng continues to accept over-length PLTE chunks when reading,
|
||||
but does not make any use of the extra entries.
|
||||
enforced, and the palette was always limited to 256 entries.
|
||||
|
||||
XIII. Detecting libpng
|
||||
|
||||
@ -5319,7 +5318,7 @@ Other rules can be inferred by inspecting the libpng source.
|
||||
|
||||
XVI. Y2K Compliance in libpng
|
||||
|
||||
October 29, 2015
|
||||
October 30, 2015
|
||||
|
||||
Since the PNG Development group is an ad-hoc body, we can't make
|
||||
an official declaration.
|
||||
|
||||
19
libpng.3
19
libpng.3
@ -1,4 +1,4 @@
|
||||
.TH LIBPNG 3 "October 29, 2015"
|
||||
.TH LIBPNG 3 "October 30, 2015"
|
||||
.SH NAME
|
||||
libpng \- Portable Network Graphics (PNG) Reference Library 1.6.19rc02
|
||||
.SH SYNOPSIS
|
||||
@ -508,7 +508,7 @@ Following is a copy of the libpng-manual.txt file that accompanies libpng.
|
||||
.SH LIBPNG.TXT
|
||||
libpng-manual.txt - A description on how to use and modify libpng
|
||||
|
||||
libpng version 1.6.19rc02 - October 29, 2015
|
||||
libpng version 1.6.19rc02 - October 30, 2015
|
||||
Updated and distributed by Glenn Randers-Pehrson
|
||||
<glennrp at users.sourceforge.net>
|
||||
Copyright (c) 1998-2015 Glenn Randers-Pehrson
|
||||
@ -519,7 +519,7 @@ libpng-manual.txt - A description on how to use and modify libpng
|
||||
|
||||
Based on:
|
||||
|
||||
libpng versions 0.97, January 1998, through 1.6.19rc02 - October 29, 2015
|
||||
libpng versions 0.97, January 1998, through 1.6.19rc02 - October 30, 2015
|
||||
Updated and distributed by Glenn Randers-Pehrson
|
||||
Copyright (c) 1998-2015 Glenn Randers-Pehrson
|
||||
|
||||
@ -5650,10 +5650,9 @@ It can be set for testing debug or beta builds to ensure that they will compile
|
||||
when the build type is switched to RC or STABLE. In essence this overrides the
|
||||
PNG_LIBPNG_BUILD_BASE_TYPE definition which is not directly user controllable.
|
||||
|
||||
Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
|
||||
Starting with libpng-1.6.19, attempting to set an over-length PLTE chunk
|
||||
is an error. Previously this requirement of the PNG specification was not
|
||||
enforced. Libpng continues to accept over-length PLTE chunks when reading,
|
||||
but does not make any use of the extra entries.
|
||||
enforced, and the palette was always limited to 256 entries.
|
||||
|
||||
.SH XIII. Detecting libpng
|
||||
|
||||
@ -5827,7 +5826,7 @@ Other rules can be inferred by inspecting the libpng source.
|
||||
|
||||
.SH XVI. Y2K Compliance in libpng
|
||||
|
||||
October 29, 2015
|
||||
October 30, 2015
|
||||
|
||||
Since the PNG Development group is an ad-hoc body, we can't make
|
||||
an official declaration.
|
||||
@ -6149,7 +6148,7 @@ possible without all of you.
|
||||
|
||||
Thanks to Frank J. T. Wojcik for helping with the documentation.
|
||||
|
||||
Libpng version 1.6.19rc02 - October 29, 2015:
|
||||
Libpng version 1.6.19rc02 - October 30, 2015:
|
||||
Initially created in 1995 by Guy Eric Schalnat, then of Group 42, Inc.
|
||||
Currently maintained by Glenn Randers-Pehrson (glennrp at users.sourceforge.net).
|
||||
|
||||
@ -6172,7 +6171,7 @@ this sentence.
|
||||
|
||||
This code is released under the libpng license.
|
||||
|
||||
libpng versions 1.0.7, July 1, 2000, through 1.6.19rc02, October 29, 2015, are
|
||||
libpng versions 1.0.7, July 1, 2000, through 1.6.19rc02, October 30, 2015, are
|
||||
Copyright (c) 2000-2002, 2004, 2006-2015 Glenn Randers-Pehrson, and are
|
||||
distributed according to the same disclaimer and license as libpng-1.0.6
|
||||
with the following individuals added to the list of Contributing Authors:
|
||||
@ -6266,7 +6265,7 @@ the additional disclaimers inserted at version 1.0.7.
|
||||
|
||||
Glenn Randers-Pehrson
|
||||
glennrp at users.sourceforge.net
|
||||
October 29, 2015
|
||||
October 30, 2015
|
||||
|
||||
.\" end of man page
|
||||
|
||||
|
||||
@ -1002,6 +1002,9 @@ png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
|
||||
* confusing.
|
||||
*
|
||||
* Fix this by not sharing the palette in this way.
|
||||
*
|
||||
* Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when
|
||||
* it attempts to set a palette length that is too large for the bit depth.
|
||||
*/
|
||||
png_set_PLTE(png_ptr, info_ptr, palette, num);
|
||||
|
||||
|
||||
13
pngset.c
13
pngset.c
@ -1,7 +1,7 @@
|
||||
|
||||
/* pngset.c - storage of image information into info struct
|
||||
*
|
||||
* Last changed in libpng 1.6.18 [July 23, 2015]
|
||||
* Last changed in libpng 1.6.19 [(PENDING RELEASE)]
|
||||
* Copyright (c) 1998-2015 Glenn Randers-Pehrson
|
||||
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
|
||||
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
|
||||
@ -513,12 +513,17 @@ png_set_PLTE(png_structrp png_ptr, png_inforp info_ptr,
|
||||
png_const_colorp palette, int num_palette)
|
||||
{
|
||||
|
||||
png_uint_32 max_palette_length;
|
||||
|
||||
png_debug1(1, "in %s storage function", "PLTE");
|
||||
|
||||
if (png_ptr == NULL || info_ptr == NULL)
|
||||
return;
|
||||
|
||||
if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH)
|
||||
max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
|
||||
(1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
|
||||
|
||||
if (num_palette < 0 || num_palette > max_palette_length)
|
||||
{
|
||||
if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
|
||||
png_error(png_ptr, "Invalid palette length");
|
||||
@ -551,8 +556,8 @@ png_set_PLTE(png_structrp png_ptr, png_inforp info_ptr,
|
||||
png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
|
||||
|
||||
/* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
|
||||
* of num_palette entries, in case of an invalid PNG file that has
|
||||
* too-large sample values.
|
||||
* of num_palette entries, in case of an invalid PNG file or incorrect
|
||||
* call to png_set_PLTE() with too-large sample values.
|
||||
*/
|
||||
png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
|
||||
PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
|
||||
|
||||
@ -922,20 +922,20 @@ void /* PRIVATE */
|
||||
png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
|
||||
png_uint_32 num_pal)
|
||||
{
|
||||
png_uint_32 max_num_pal, i;
|
||||
png_uint_32 max_palette_length, i;
|
||||
png_const_colorp pal_ptr;
|
||||
png_byte buf[3];
|
||||
|
||||
png_debug(1, "in png_write_PLTE");
|
||||
|
||||
max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
|
||||
max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
|
||||
(1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
|
||||
|
||||
if ((
|
||||
#ifdef PNG_MNG_FEATURES_SUPPORTED
|
||||
(png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 &&
|
||||
#endif
|
||||
num_pal == 0) || num_pal > max_num_pal)
|
||||
num_pal == 0) || num_pal > max_palette_length)
|
||||
{
|
||||
if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
|
||||
{
|
||||
|
||||
Loading…
Reference in New Issue
Block a user