diff --git a/ANNOUNCE b/ANNOUNCE index 563c71342..2ebc83a88 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -92,6 +92,7 @@ Version 1.6.32beta11 [August 6, 2017] Increase minimum zlib stream from 9 to 14 in png_handle_iCCP(), to account for the minimum 'deflate' stream, and relocate the test to a point after the keyword has been read. + Check that the eXIf chunk has at least 2 bytes and begins with "II" or "MM". Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/CHANGES b/CHANGES index ac32d313f..1de0dac6d 100644 --- a/CHANGES +++ b/CHANGES @@ -5975,6 +5975,7 @@ Version 1.6.32beta11 [August 6, 2017] Increase minimum zlib stream from 9 to 14 in png_handle_iCCP(), to account for the minimum 'deflate' stream, and relocate the test to a point after the keyword has been read. + Check that the eXIf chunk has at least 2 bytes and begins with "II" or "MM". Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/pngrutil.c b/pngrutil.c index 949a6720b..68b955fbf 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -2035,6 +2035,13 @@ png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) if ((png_ptr->mode & PNG_HAVE_IHDR) == 0) png_chunk_error(png_ptr, "missing IHDR"); + if (length < 2) + { + png_crc_finish(png_ptr, length); + png_chunk_benign_error(png_ptr, "too short"); + return; + } + else if (info_ptr == NULL || (info_ptr->valid & PNG_INFO_eXIf) != 0) { png_crc_finish(png_ptr, length); @@ -2059,6 +2066,13 @@ png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) png_byte buf[1]; png_crc_read(png_ptr, buf, 1); info_ptr->eXIf_buf[i] = buf[0]; + if (i == 2 && buf[0] != 'M' && buf[0] != 'I' + && info_ptr->eXIf_buf[0] != buf[0]) + { + png_crc_finish(png_ptr, length); + png_chunk_benign_error(png_ptr, "incorrect byte-order specifier"); + return; + } } if (png_crc_finish(png_ptr, 0) != 0)