[libpng16] Compute a larger limit on IDAT because some applications write a
deflate buffer for each row (Bug report by Andrew Church).
This commit is contained in:
Glenn Randers-Pehrson
parent
47aa798127
commit
eb2f42aa97
6
ANNOUNCE
6
ANNOUNCE
@ -1,4 +1,4 @@
|
||||
Libpng 1.6.33beta02 - August 30, 2017
|
||||
Libpng 1.6.33beta02 - August 31, 2017
|
||||
|
||||
This is not intended to be a public release. It will be replaced
|
||||
within a few weeks by a public version or by another test version.
|
||||
@ -30,9 +30,11 @@ Version 1.6.33beta01 [August 28, 2017]
|
||||
Fixed off-by-one error in png_do_check_palette_indexes() (Bug report
|
||||
by Mick P., Source Forge Issue #269).
|
||||
|
||||
Version 1.6.33beta02 [August 30, 2017]
|
||||
Version 1.6.33beta02 [August 31, 2017]
|
||||
Initialize png_handler.row_ptr in contrib/oss-fuzz/libpng_read_fuzzer.cc
|
||||
to fix shortlived oss-fuzz issue 3234.
|
||||
Compute a larger limit on IDAT because some applications write a deflate
|
||||
buffer for each row (Bug report by Andrew Church).
|
||||
|
||||
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
|
||||
(subscription required; visit
|
||||
|
||||
5
CHANGES
5
CHANGES
@ -6000,10 +6000,11 @@ Version 1.6.33beta01 [August 28, 2017]
|
||||
Fixed off-by-one error in png_do_check_palette_indexes() (Bug report
|
||||
by Mick P., Source Forge Issue #269).
|
||||
|
||||
Version 1.6.33beta02 [August 30, 2017]
|
||||
Version 1.6.33beta02 [August 31, 2017]
|
||||
Initialize png_handler.row_ptr in contrib/oss-fuzz/libpng_read_fuzzer.cc
|
||||
to fix shortlived oss-fuzz issue 3234.
|
||||
|
||||
Compute a larger limit on IDAT because some applications write a deflate
|
||||
buffer for each row (Bug report by Andrew Church).
|
||||
|
||||
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
|
||||
(subscription required; visit
|
||||
|
||||
26
pngrutil.c
26
pngrutil.c
@ -3144,28 +3144,28 @@ png_check_chunk_length(png_const_structrp png_ptr, const png_uint_32 length)
|
||||
{
|
||||
png_alloc_size_t limit = PNG_UINT_31_MAX;
|
||||
|
||||
if (png_ptr->chunk_name != png_IDAT)
|
||||
{
|
||||
# ifdef PNG_SET_USER_LIMITS_SUPPORTED
|
||||
if (png_ptr->user_chunk_malloc_max > 0 &&
|
||||
png_ptr->user_chunk_malloc_max < limit)
|
||||
limit = png_ptr->user_chunk_malloc_max;
|
||||
if (png_ptr->user_chunk_malloc_max > 0 &&
|
||||
png_ptr->user_chunk_malloc_max < limit)
|
||||
limit = png_ptr->user_chunk_malloc_max;
|
||||
# elif PNG_USER_CHUNK_MALLOC_MAX > 0
|
||||
if (PNG_USER_CHUNK_MALLOC_MAX < limit)
|
||||
limit = PNG_USER_CHUNK_MALLOC_MAX;
|
||||
if (PNG_USER_CHUNK_MALLOC_MAX < limit)
|
||||
limit = PNG_USER_CHUNK_MALLOC_MAX;
|
||||
# endif
|
||||
}
|
||||
else
|
||||
if (png_ptr->chunk_name == png_IDAT)
|
||||
{
|
||||
png_alloc_size_t idat_limit = PNG_UINT_31_MAX;
|
||||
size_t row_factor =
|
||||
(png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
|
||||
+ 1 + (png_ptr->interlaced? 6: 0));
|
||||
if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
|
||||
limit=PNG_UINT_31_MAX;
|
||||
idat_limit=PNG_UINT_31_MAX;
|
||||
else
|
||||
limit = png_ptr->height * row_factor;
|
||||
limit += 6 + 5*(limit/32566+1); /* zlib+deflate overhead */
|
||||
limit=limit < PNG_UINT_31_MAX? limit : PNG_UINT_31_MAX;
|
||||
idat_limit = png_ptr->height * row_factor;
|
||||
row_factor = row_factor > 32566? 32566 : row_factor;
|
||||
idat_limit += 6 + 5*(idat_limit/row_factor+1); /* zlib+deflate overhead */
|
||||
idat_limit=idat_limit < PNG_UINT_31_MAX? idat_limit : PNG_UINT_31_MAX;
|
||||
limit = limit < idat_limit? idat_limit : limit;
|
||||
}
|
||||
|
||||
if (length > limit)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user