Remove all currently detected cases of unsigned overflow. Detection is
runtime, so test case dependent. The changes to pngvalid.c eliminate
spurious and probably invalid tests with one while loop exception.
Apart from that and the change to the dependence on the intended
unsigned overflow in pngtrans.c the changes are limited to altering the
meme for an unsigned 'x' from:
while (x-- > 0)
to
for (; x > 0; --x)
This works because, in all cases, the control variable is not used in
the loop. The 'while' meme was, at one time, warn'ed by GCC so it is
probably a good change, for some weird religious value of good.
Signed-off-by: John Bowler <jbowler@acm.org>
The code now validates the ICC profile length against the user chunk limit
before the buffer is allocated, as opposed to doing it while the buffer is read.
This removes the potential to consume virtual address space with a carefully
crafted ICC profile; only an issue on 32-bit systems where a valid profile can
be up to 2^32-4 bytes in length. libpng never writes beyond the application
supplied limit, but previously it did allocate a buffer of the size specified in
the profile header. The exploitability of this is almost zero; the address
space is released as soon as the PNG read completes.
Also clean up PNG_DEBUG compile of pngtest.c.
Signed-off-by: John Bowler <jbowler@acm.org>
In libpng 1.6 zlib initialization was changed to use the window size in the zlib
stream, not a fixed value. This causes some invalid images, ones where CINFO is
too large, to display 'correctly' if the rest of the data is valid. This
provides a work-round for zlib versions where the error arises (ones that
support the API change to use the window size in the stream).
Signed-off-by: John Bowler <jbowler@acm.org>
input that was made in version 1.6.17beta01, to preserve legacy
behavior even though it was incorrect. Instead, added new API
png_set_filter_16() and png_set_add_alpha_16() that set a flag to
make png_do_read_filter() interpret the filler bytes properly.
function has apparently never been used. It was implemented
to support back-door modification of png_struct in libpng-1.4.x
but was apparently never tested (because it does nothing and cannot
do anything).
and 1-million-row default limits in pnglibconf.dfa, that can be reset
by the user at build time or run time. This provides a more robust
defense against DOS and as-yet undiscovered overflows.
Display user limits in the output from pngtest.
