[libpng16] Eliminated PNG_SAFE_LIMITS macro and restored the 1-million-column
and 1-million-row default limits in pnglibconf.dfa, that can be reset
by the user at build time or run time. This provides a more robust
defense against DOS and as-yet undiscovered overflows.
Display user limits in the output from pngtest.
diff --git a/ANNOUNCE b/ANNOUNCE
index 5c63c3b..0281b45 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,4 +1,4 @@
-Libpng 1.6.17beta03 - February 7, 2015
+Libpng 1.6.17beta03 - February 17, 2015
This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version.
@@ -44,7 +44,12 @@
Work around one more Coverity-scan dead-code warning.
Do not build png_product2() when it is unused.
-Version 1.6.17beta03 [February 7, 2015]
+Version 1.6.17beta03 [February 17, 2015]
+ Display user limits in the output from pngtest.
+ Eliminated the PNG_SAFE_LIMITS macro and restored the 1-million-column
+ and 1-million-row default limits in pnglibconf.dfa, that can be reset
+ by the user at build time or run time. This provides a more robust
+ defense against DOS and as-yet undiscovered overflows.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
diff --git a/CHANGES b/CHANGES
index 06a07d4..ba429cd 100644
--- a/CHANGES
+++ b/CHANGES
@@ -5145,7 +5145,12 @@
Work around one more Coverity-scan dead-code warning.
Do not build png_product2() when it is unused.
-Version 1.6.17beta03 [February 7, 2015]
+Version 1.6.17beta03 [February 17, 2015]
+ Display user limits in the output from pngtest.
+ Eliminated the PNG_SAFE_LIMITS macro and restored the 1-million-column
+ and 1-million-row default limits in pnglibconf.dfa, that can be reset
+ by the user at build time or run time. This provides a more robust
+ defense against DOS and as-yet undiscovered overflows.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
diff --git a/pngpriv.h b/pngpriv.h
index 4d7a665..5b0213f 100644
--- a/pngpriv.h
+++ b/pngpriv.h
@@ -300,46 +300,9 @@
/* SECURITY and SAFETY:
*
- * By default libpng is built without any internal limits on image size,
- * individual heap (png_malloc) allocations or the total amount of memory used.
- * If PNG_SAFE_LIMITS_SUPPORTED is defined, however, the limits below are used
- * (unless individually overridden). These limits are believed to be fairly
- * safe, but builders of secure systems should verify the values against the
- * real system capabilities.
- */
-#ifdef PNG_SAFE_LIMITS_SUPPORTED
- /* 'safe' limits */
-# ifndef PNG_USER_WIDTH_MAX
-# define PNG_USER_WIDTH_MAX 1000000
-# endif
-# ifndef PNG_USER_HEIGHT_MAX
-# define PNG_USER_HEIGHT_MAX 1000000
-# endif
-# ifndef PNG_USER_CHUNK_CACHE_MAX
-# define PNG_USER_CHUNK_CACHE_MAX 128
-# endif
-# ifndef PNG_USER_CHUNK_MALLOC_MAX
-# define PNG_USER_CHUNK_MALLOC_MAX 8000000
-# endif
-#else
- /* values for no limits */
-# ifndef PNG_USER_WIDTH_MAX
-# define PNG_USER_WIDTH_MAX 0x7fffffff
-# endif
-# ifndef PNG_USER_HEIGHT_MAX
-# define PNG_USER_HEIGHT_MAX 0x7fffffff
-# endif
-# ifndef PNG_USER_CHUNK_CACHE_MAX
-# define PNG_USER_CHUNK_CACHE_MAX 0
-# endif
-# ifndef PNG_USER_CHUNK_MALLOC_MAX
-# define PNG_USER_CHUNK_MALLOC_MAX 0
-# endif
-#endif
-
-/* Moved to pngpriv.h at libpng-1.5.0 */
-/* NOTE: some of these may have been used in external applications as
- * these definitions were exposed in pngconf.h prior to 1.5.
+ * libpng is built with support for internal limits on image dimensions and
+ * memory usage. These are documented in scripts/pnglibconf.dfa of the
+ * source and recorded in the machine generated header file pnglibconf.h.
*/
/* If you are running on a machine where you cannot allocate more
diff --git a/pngtest.c b/pngtest.c
index 4e64def..5d09f1c 100644
--- a/pngtest.c
+++ b/pngtest.c
@@ -377,7 +377,7 @@
io_ptr = png_get_io_ptr(png_ptr);
if (io_ptr != NULL)
{
- check = fread(data, (sizeof (png_byte)), length, (png_FILE_p)io_ptr);
+ check = fread(data, 1, length, (png_FILE_p)io_ptr);
}
if (check != length)
@@ -1610,8 +1610,8 @@
png_size_t num_in, num_out;
char inbuf[256], outbuf[256];
- num_in = fread(inbuf, 1, (sizeof inbuf), fpin);
- num_out = fread(outbuf, 1, (sizeof outbuf), fpout);
+ num_in = fread(inbuf, 1, sizeof inbuf, fpin);
+ num_out = fread(outbuf, 1, sizeof outbuf, fpout);
if (num_in != num_out)
{
@@ -1701,6 +1701,8 @@
int multiple = 0;
int ierror = 0;
+ png_structp dummy_ptr;
+
fprintf(STDERR, "\n Testing libpng version %s\n", PNG_LIBPNG_VER_STRING);
fprintf(STDERR, " with zlib version %s\n", ZLIB_VERSION);
fprintf(STDERR, "%s", png_get_copyright(NULL));
@@ -1994,6 +1996,24 @@
else
fprintf(STDERR, " libpng FAILS test\n");
+ dummy_ptr = png_create_read_struct(PNG_LIBPNG_VER_STRING, NULL, NULL, NULL);
+ fprintf(STDERR, " Default limits:\n");
+ fprintf(STDERR, " width_max = %lu\n",
+ (unsigned long) png_get_user_width_max(dummy_ptr));
+ fprintf(STDERR, " height_max = %lu\n",
+ (unsigned long) png_get_user_height_max(dummy_ptr));
+ if (png_get_chunk_cache_max(dummy_ptr) == 0)
+ fprintf(STDERR, " cache_max = unlimited\n");
+ else
+ fprintf(STDERR, " cache_max = %lu\n",
+ (unsigned long) png_get_chunk_cache_max(dummy_ptr));
+ if (png_get_chunk_malloc_max(dummy_ptr) == 0)
+ fprintf(STDERR, " malloc_max = unlimited\n");
+ else
+ fprintf(STDERR, " malloc_max = %lu\n",
+ (unsigned long) png_get_chunk_malloc_max(dummy_ptr));
+ png_destroy_read_struct(&dummy_ptr, NULL, NULL);
+
return (int)(ierror != 0);
}
#else
diff --git a/pngusr.dfa b/pngusr.dfa
index 9d39564..83067c3 100644
--- a/pngusr.dfa
+++ b/pngusr.dfa
@@ -8,7 +8,7 @@
# here by entering the appropriate values as #defines preceded by '@' (to cause,
# them to be passed through to the build of pnglibconf.h), for example:
#
-# @# define PNG_USER_WIDTH_MAX 1000000
-# @# define PNG_USER_HEIGHT_MAX 1000000
-# @# define PNG_USER_CHUNK_CACHE_MAX 128
-# @# define PNG_USER_CHUNK_MALLOC_MAX 8000000
+# @# define PNG_USER_WIDTH_MAX 65535
+# @# define PNG_USER_HEIGHT_MAX 65535
+# @# define PNG_USER_CHUNK_CACHE_MAX 256
+# @# define PNG_USER_CHUNK_MALLOC_MAX 640000
diff --git a/scripts/pnglibconf.dfa b/scripts/pnglibconf.dfa
index d98d274..692fd58 100644
--- a/scripts/pnglibconf.dfa
+++ b/scripts/pnglibconf.dfa
@@ -350,36 +350,15 @@
option IO_STATE
-# This is only for PowerPC big-endian and 680x0 systems
-# some testing, not enabled by default.
-# NO LONGER USED
-
-#option READ_BIG_ENDIAN disabled
-
-# Allow users to control limits on what the READ code will
-# read:
-
-# Added at libpng-1.2.43; adds limit fields to png_struct,
-# allows some usages of these fields
-
-option USER_LIMITS
-
-# Added at libpng-1.2.6; adds setting APIs, allows additional
-# usage of this field (UTSL)
-
-option SET_USER_LIMITS requires USER_LIMITS
-
-# Feature added at libpng-1.4.0, this flag added at 1.4.1
-option SET_USER_LIMITS enables SET_CHUNK_CACHE_LIMIT
-# Feature added at libpng-1.4.1, this flag added at 1.4.1
-
-option SET_USER_LIMITS enables SET_CHUNK_MALLOC_LIMIT
-
-# Libpng limits.
+# Libpng limits: limit the size of images and data on read.
#
-# If these settings are *not* set libpng will not limit the size of
-# images or the size of data in ancilliary chunks. This does lead to
-# security issues if PNG files come from untrusted sources. Settings have the
+# If this option is disabled all the limit checking code will be disabled:
+
+option USER_LIMITS requires READ
+
+# The default settings given below for the limits mean that libpng will
+# limit the size of images or the size of data in ancilliary chunks to less
+# than the specification or implementation limits. Settings have the
# following interpretations:
#
# USER_WIDTH_MAX: maximum width of an image that will be read
@@ -389,17 +368,14 @@
#
# Only chunks that are variable in number are counted towards the
# USER_CHUNK_CACHE_MAX limit
-setting USER_WIDTH_MAX
-setting USER_HEIGHT_MAX
-setting USER_CHUNK_CACHE_MAX
-setting USER_CHUNK_MALLOC_MAX
+setting USER_WIDTH_MAX default 1000000 /* Use 0x7fffffff for unlimited */
+setting USER_HEIGHT_MAX default 1000000 /* Use 0x7fffffff for unlimited */
+setting USER_CHUNK_CACHE_MAX default 1000 /* Use 0 for unlimited */
+setting USER_CHUNK_MALLOC_MAX default 8000000 /* Use 0 for unlimited */
-# To default all these settings to values that are large but probably
-# safe turn the SAFE_LIMITS option on; this will cause the value in
-# pngpriv.h to be used. Individual values can also be set, simply set
-# them in pngusr.dfa with '@#define PNG_setting value' lines.
-option SAFE_LIMITS enables USER_LIMITS disabled
-= SAFE_LIMITS SAFE_LIMITS
+# If this option is enabled APIs to set the above limits at run time are added;
+# without this the hardwired (compile time) limits will be used.
+option SET_USER_LIMITS requires USER_LIMITS
# All of the following options relate to code capabilities for
# processing image data before creating a PNG or after reading one.
@@ -541,6 +517,7 @@
# non-IDAT chunks (zTXt, iTXt, iCCP, and unknown chunks). This feature
# was added at libpng-1.5.3.
option WRITE_CUSTOMIZE_ZTXT_COMPRESSION requires WRITE
+option WRITE_CUSTOMIZE_COMPRESSION requires WRITE
# Any chunks you are not interested in, you can undef here. The
# ones that allocate memory may be expecially important (hIST,
diff --git a/scripts/pnglibconf.h.prebuilt b/scripts/pnglibconf.h.prebuilt
index a6101a9..7a683d3 100644
--- a/scripts/pnglibconf.h.prebuilt
+++ b/scripts/pnglibconf.h.prebuilt
@@ -2,7 +2,7 @@
/* pnglibconf.h - library build configuration */
-/* Libpng version 1.6.17beta03 - February 7, 2015 */
+/* Libpng version 1.6.17beta03 - February 17, 2015 */
/* Copyright (c) 1998-2014 Glenn Randers-Pehrson */
@@ -97,7 +97,6 @@
#define PNG_READ_tIME_SUPPORTED
#define PNG_READ_tRNS_SUPPORTED
#define PNG_READ_zTXt_SUPPORTED
-/*#undef PNG_SAFE_LIMITS_SUPPORTED*/
#define PNG_SAVE_INT_32_SUPPORTED
#define PNG_SAVE_UNKNOWN_CHUNKS_SUPPORTED
#define PNG_SEQUENTIAL_READ_SUPPORTED
@@ -129,6 +128,7 @@
#define PNG_WRITE_BGR_SUPPORTED
#define PNG_WRITE_CHECK_FOR_INVALID_INDEX_SUPPORTED
#define PNG_WRITE_COMPRESSED_TEXT_SUPPORTED
+#define PNG_WRITE_CUSTOMIZE_COMPRESSION_SUPPORTED
#define PNG_WRITE_CUSTOMIZE_ZTXT_COMPRESSION_SUPPORTED
#define PNG_WRITE_FILLER_SUPPORTED
#define PNG_WRITE_FILTER_SUPPORTED
@@ -198,6 +198,10 @@
#define PNG_QUANTIZE_RED_BITS 5
#define PNG_TEXT_Z_DEFAULT_COMPRESSION (-1)
#define PNG_TEXT_Z_DEFAULT_STRATEGY 0
+#define PNG_USER_CHUNK_CACHE_MAX 1000 /* Use 0 for unlimited */
+#define PNG_USER_CHUNK_MALLOC_MAX 8000000 /* Use 0 for unlimited */
+#define PNG_USER_HEIGHT_MAX 1000000 /* Use 0x7fffffff for unlimited */
+#define PNG_USER_WIDTH_MAX 1000000 /* Use 0x7fffffff for unlimited */
#define PNG_WEIGHT_SHIFT 8
#define PNG_ZBUF_SIZE 8192
#define PNG_ZLIB_VERNUM 0 /* unknown */