From a901eb3ce6087e0afeef988247f1a1aa208cb54d Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Fri, 30 Oct 2015 07:57:49 -0500 Subject: [PATCH] [libpng16] Prevent reading over-length PLTE chunk (Cosmin Truta). --- ANNOUNCE | 6 +++--- CHANGES | 4 ++-- libpng-manual.txt | 11 +++++------ libpng.3 | 19 +++++++++---------- pngrutil.c | 3 +++ pngset.c | 13 +++++++++---- pngwutil.c | 6 +++--- 7 files changed, 34 insertions(+), 28 deletions(-) diff --git a/ANNOUNCE b/ANNOUNCE index 6bc50236d..e41c5a074 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,4 +1,4 @@ -Libpng 1.6.19rc02 - October 29, 2015 +Libpng 1.6.19rc02 - October 30, 2015 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -106,8 +106,8 @@ Version 1.6.19beta04 [October 15, 2015] Version 1.6.19rc01 [October 23, 2015] No changes. -Version 1.6.19rc02 [October 29, 2015] - Prevent writing over-length PLTE chunk (Cosmin Truta). +Version 1.6.19rc02 [October 30, 2015] + Prevent reading or writing over-length PLTE chunk (Cosmin Truta). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/CHANGES b/CHANGES index 945a7fdff..7c9977e15 100644 --- a/CHANGES +++ b/CHANGES @@ -5391,8 +5391,8 @@ Version 1.6.19beta04 [October 15, 2015] Version 1.6.19rc01 [October 23, 2015] No changes. -Version 1.6.19rc02 [October 29, 2015] - Prevent writing over-length PLTE chunk (Cosmin Truta). +Version 1.6.19rc02 [October 30, 2015] + Prevent reading or writing over-length PLTE chunk (Cosmin Truta). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/libpng-manual.txt b/libpng-manual.txt index 865b2713a..6b4fef82a 100644 --- a/libpng-manual.txt +++ b/libpng-manual.txt @@ -1,6 +1,6 @@ libpng-manual.txt - A description on how to use and modify libpng - libpng version 1.6.19rc02 - October 29, 2015 + libpng version 1.6.19rc02 - October 30, 2015 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2015 Glenn Randers-Pehrson @@ -11,7 +11,7 @@ libpng-manual.txt - A description on how to use and modify libpng Based on: - libpng versions 0.97, January 1998, through 1.6.19rc02 - October 29, 2015 + libpng versions 0.97, January 1998, through 1.6.19rc02 - October 30, 2015 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2015 Glenn Randers-Pehrson @@ -5142,10 +5142,9 @@ It can be set for testing debug or beta builds to ensure that they will compile when the build type is switched to RC or STABLE. In essence this overrides the PNG_LIBPNG_BUILD_BASE_TYPE definition which is not directly user controllable. -Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk +Starting with libpng-1.6.19, attempting to set an over-length PLTE chunk is an error. Previously this requirement of the PNG specification was not -enforced. Libpng continues to accept over-length PLTE chunks when reading, -but does not make any use of the extra entries. +enforced, and the palette was always limited to 256 entries. XIII. Detecting libpng @@ -5319,7 +5318,7 @@ Other rules can be inferred by inspecting the libpng source. XVI. Y2K Compliance in libpng -October 29, 2015 +October 30, 2015 Since the PNG Development group is an ad-hoc body, we can't make an official declaration. diff --git a/libpng.3 b/libpng.3 index d41d8d60c..1f7c75ce3 100644 --- a/libpng.3 +++ b/libpng.3 @@ -1,4 +1,4 @@ -.TH LIBPNG 3 "October 29, 2015" +.TH LIBPNG 3 "October 30, 2015" .SH NAME libpng \- Portable Network Graphics (PNG) Reference Library 1.6.19rc02 .SH SYNOPSIS @@ -508,7 +508,7 @@ Following is a copy of the libpng-manual.txt file that accompanies libpng. .SH LIBPNG.TXT libpng-manual.txt - A description on how to use and modify libpng - libpng version 1.6.19rc02 - October 29, 2015 + libpng version 1.6.19rc02 - October 30, 2015 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2015 Glenn Randers-Pehrson @@ -519,7 +519,7 @@ libpng-manual.txt - A description on how to use and modify libpng Based on: - libpng versions 0.97, January 1998, through 1.6.19rc02 - October 29, 2015 + libpng versions 0.97, January 1998, through 1.6.19rc02 - October 30, 2015 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2015 Glenn Randers-Pehrson @@ -5650,10 +5650,9 @@ It can be set for testing debug or beta builds to ensure that they will compile when the build type is switched to RC or STABLE. In essence this overrides the PNG_LIBPNG_BUILD_BASE_TYPE definition which is not directly user controllable. -Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk +Starting with libpng-1.6.19, attempting to set an over-length PLTE chunk is an error. Previously this requirement of the PNG specification was not -enforced. Libpng continues to accept over-length PLTE chunks when reading, -but does not make any use of the extra entries. +enforced, and the palette was always limited to 256 entries. .SH XIII. Detecting libpng @@ -5827,7 +5826,7 @@ Other rules can be inferred by inspecting the libpng source. .SH XVI. Y2K Compliance in libpng -October 29, 2015 +October 30, 2015 Since the PNG Development group is an ad-hoc body, we can't make an official declaration. @@ -6149,7 +6148,7 @@ possible without all of you. Thanks to Frank J. T. Wojcik for helping with the documentation. -Libpng version 1.6.19rc02 - October 29, 2015: +Libpng version 1.6.19rc02 - October 30, 2015: Initially created in 1995 by Guy Eric Schalnat, then of Group 42, Inc. Currently maintained by Glenn Randers-Pehrson (glennrp at users.sourceforge.net). @@ -6172,7 +6171,7 @@ this sentence. This code is released under the libpng license. -libpng versions 1.0.7, July 1, 2000, through 1.6.19rc02, October 29, 2015, are +libpng versions 1.0.7, July 1, 2000, through 1.6.19rc02, October 30, 2015, are Copyright (c) 2000-2002, 2004, 2006-2015 Glenn Randers-Pehrson, and are distributed according to the same disclaimer and license as libpng-1.0.6 with the following individuals added to the list of Contributing Authors: @@ -6266,7 +6265,7 @@ the additional disclaimers inserted at version 1.0.7. Glenn Randers-Pehrson glennrp at users.sourceforge.net -October 29, 2015 +October 30, 2015 .\" end of man page diff --git a/pngrutil.c b/pngrutil.c index a60ee96fe..babf5c02d 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -1002,6 +1002,9 @@ png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) * confusing. * * Fix this by not sharing the palette in this way. + * + * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when + * it attempts to set a palette length that is too large for the bit depth. */ png_set_PLTE(png_ptr, info_ptr, palette, num); diff --git a/pngset.c b/pngset.c index 6c6beac9f..0629d94e9 100644 --- a/pngset.c +++ b/pngset.c @@ -1,7 +1,7 @@ /* pngset.c - storage of image information into info struct * - * Last changed in libpng 1.6.18 [July 23, 2015] + * Last changed in libpng 1.6.19 [(PENDING RELEASE)] * Copyright (c) 1998-2015 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) @@ -513,12 +513,17 @@ png_set_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_const_colorp palette, int num_palette) { + png_uint_32 max_palette_length; + png_debug1(1, "in %s storage function", "PLTE"); if (png_ptr == NULL || info_ptr == NULL) return; - if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH) + max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? + (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; + + if (num_palette < 0 || num_palette > max_palette_length) { if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) png_error(png_ptr, "Invalid palette length"); @@ -551,8 +556,8 @@ png_set_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0); /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead - * of num_palette entries, in case of an invalid PNG file that has - * too-large sample values. + * of num_palette entries, in case of an invalid PNG file or incorrect + * call to png_set_PLTE() with too-large sample values. */ png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr, PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)))); diff --git a/pngwutil.c b/pngwutil.c index 71923298f..7afefe1f9 100644 --- a/pngwutil.c +++ b/pngwutil.c @@ -922,20 +922,20 @@ void /* PRIVATE */ png_write_PLTE(png_structrp png_ptr, png_const_colorp palette, png_uint_32 num_pal) { - png_uint_32 max_num_pal, i; + png_uint_32 max_palette_length, i; png_const_colorp pal_ptr; png_byte buf[3]; png_debug(1, "in png_write_PLTE"); - max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? + max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; if (( #ifdef PNG_MNG_FEATURES_SUPPORTED (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 && #endif - num_pal == 0) || num_pal > max_num_pal) + num_pal == 0) || num_pal > max_palette_length) { if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) {