cheng/libpng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[libpng16] Check that the eXIf chunk has at least 2 bytes and begins

Browse Source 
with "II" or "MM".
This commit is contained in:
Glenn Randers-Pehrson 2017-08-06 10:24:04 -05:00
parent c82ae40e9f
commit cf713fb0ab
3 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ANNOUNCE
View File

@ -92,6 +92,7 @@ Version 1.6.32beta11 [August 6, 2017]
Increase minimum zlib stream from 9 to 14 in png_handle_iCCP(), to account Increase minimum zlib stream from 9 to 14 in png_handle_iCCP(), to account
for the minimum 'deflate' stream, and relocate the test to a point for the minimum 'deflate' stream, and relocate the test to a point
after the keyword has been read. after the keyword has been read.
Check that the eXIf chunk has at least 2 bytes and begins with "II" or "MM".
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

1
CHANGES
View File

@ -5975,6 +5975,7 @@ Version 1.6.32beta11 [August 6, 2017]
Increase minimum zlib stream from 9 to 14 in png_handle_iCCP(), to account Increase minimum zlib stream from 9 to 14 in png_handle_iCCP(), to account
for the minimum 'deflate' stream, and relocate the test to a point for the minimum 'deflate' stream, and relocate the test to a point
after the keyword has been read. after the keyword has been read.
Check that the eXIf chunk has at least 2 bytes and begins with "II" or "MM".
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

14
pngrutil.c
View File

@ -2035,6 +2035,13 @@ png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
if ((png_ptr->mode & PNG_HAVE_IHDR) == 0) if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
png_chunk_error(png_ptr, "missing IHDR"); png_chunk_error(png_ptr, "missing IHDR");
if (length < 2)
{
png_crc_finish(png_ptr, length);
png_chunk_benign_error(png_ptr, "too short");
return;
}
else if (info_ptr == NULL || (info_ptr->valid & PNG_INFO_eXIf) != 0) else if (info_ptr == NULL || (info_ptr->valid & PNG_INFO_eXIf) != 0)
{ {
png_crc_finish(png_ptr, length); png_crc_finish(png_ptr, length);
@ -2059,6 +2066,13 @@ png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
png_byte buf[1]; png_byte buf[1];
png_crc_read(png_ptr, buf, 1); png_crc_read(png_ptr, buf, 1);
info_ptr->eXIf_buf[i] = buf[0]; info_ptr->eXIf_buf[i] = buf[0];
if (i == 2 && buf[0] != 'M' && buf[0] != 'I'
&& info_ptr->eXIf_buf[0] != buf[0])
{
png_crc_finish(png_ptr, length);
png_chunk_benign_error(png_ptr, "incorrect byte-order specifier");
return;
}
} }
if (png_crc_finish(png_ptr, 0) != 0) if (png_crc_finish(png_ptr, 0) != 0)