[libpng12] Use a more generous size limit for IDAT chunks
diff --git a/ANNOUNCE b/ANNOUNCE
index 8b86f90..88f49ce 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,5 +1,5 @@
-Libpng 1.2.59beta01 - August 28, 2017
+Libpng 1.2.59beta02 - September 3, 2017
This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version.
@@ -9,34 +9,34 @@
Source files with LF line endings (for Unix/Linux) and with a
"configure" script
- libpng-1.2.59beta01.tar.xz (LZMA-compressed, recommended)
- libpng-1.2.59beta01.tar.gz
+ libpng-1.2.59beta02.tar.xz (LZMA-compressed, recommended)
+ libpng-1.2.59beta02.tar.gz
Source files with LF line endings (for Unix/Linux) without the
"configure" script
- libpng-1.2.59beta01-no-config.tar.xz (LZMA-compressed, recommended)
- libpng-1.2.59beta01-no-config.tar.gz
+ libpng-1.2.59beta02-no-config.tar.xz (LZMA-compressed, recommended)
+ libpng-1.2.59beta02-no-config.tar.gz
Source files with CRLF line endings (for Windows), without the
"configure" script
- lp1259b01.zip
- lp1259b01.7z
+ lp1259b02.zip
+ lp1259b02.7z
Project files
- libpng-1.2.59beta01-project-netware.zip
- libpng-1.2.59beta01-project-wince.zip
+ libpng-1.2.59beta02-project-netware.zip
+ libpng-1.2.59beta02-project-wince.zip
Other information:
- libpng-1.2.59beta01-README.txt
- libpng-1.2.59beta01-KNOWNBUGS.txt
- libpng-1.2.59beta01-LICENSE.txt
- libpng-1.2.59beta01-Y2K-compliance.txt
- libpng-1.2.59beta01-[previous version]-diff.txt
- libpng-1.2.59beta01-*.asc (armored detached GPG signatures)
+ libpng-1.2.59beta02-README.txt
+ libpng-1.2.59beta02-KNOWNBUGS.txt
+ libpng-1.2.59beta02-LICENSE.txt
+ libpng-1.2.59beta02-Y2K-compliance.txt
+ libpng-1.2.59beta02-[previous version]-diff.txt
+ libpng-1.2.59beta02-*.asc (armored detached GPG signatures)
Changes since the last public release (1.2.58):
@@ -44,6 +44,10 @@
Added PNGMINUS_UNUSED macro to contrib/pngminus/p*.c and added missing
parenthesis in contrib/pngminus/pnm2png.c (bug report by Christian Hesse).
+Version 1.2.59beta02 [September 3, 2017]
+ Compute a larger limit on IDAT because some applications write a deflate
+ buffer for each row (Bug report by Andrew Church).
+
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
https://lists.sourceforge.net/lists/listinfo/png-mng-implement
diff --git a/CHANGES b/CHANGES
index 266a560..4186bf1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2932,20 +2932,24 @@
version 1.2.58beta01 [August 11, 2017]
Added png_check_chunk_length() function, and check all chunks except
IDAT against the default 8MB limit; check IDAT against the maximum
- size computed from IHDR parameters.
+ size computed from IHDR parameters (Fixes CVE-2017-12652).
version 1.2.58rc01 [August 19, 2017]
Check for 0 return from png_get_rowbytes() and added some (size_t) typecasts
in contrib/pngminus/*.c to stop some Coverity issues (162705, 162706,
and 162707).
-version 1.0.68 and 1.2.58 [August 28, 2017]
+version 1.0.68 and 1.2.58 [September 3, 2017]
No changes.
Version 1.2.59beta01 [August 28, 2017]
Added PNGMINUS_UNUSED macro to contrib/pngminus/p*.c and added missing
parenthesis in contrib/pngminus/pnm2png.c (bug report by Christian Hesse).
+Version 1.2.59beta02 [September 3, 2017]
+ Compute a larger limit on IDAT because some applications write a deflate
+ buffer for each row (Bug report by Andrew Church).
+
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
https://lists.sourceforge.net/lists/listinfo/png-mng-implement
diff --git a/pngrutil.c b/pngrutil.c
index ca15ccf..2b62f24 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -1,7 +1,7 @@
/* pngrutil.c - utilities to read a PNG file
*
- * Last changed in libpng 1.2.58 [August 24, 2017]
+ * Last changed in libpng 1.2.59 [(PENDING RELEASE)]
* Copyright (c) 1998-2002,2004,2006-2015,2017 Glenn Randers-Pehrson
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -2513,28 +2513,28 @@
png_check_chunk_length(png_structp png_ptr, png_uint_32 length)
{
png_uint_32 limit = PNG_UINT_31_MAX;
-
- /* if (png_ptr->chunk_name != "IDAT") */
- if (png_ptr->chunk_name[0] != 73 || png_ptr->chunk_name[1] !=68 ||
- png_ptr->chunk_name[2] != 65 || png_ptr->chunk_name[3] !=84)
- {
# if PNG_USER_CHUNK_MALLOC_MAX > 0
if (PNG_USER_CHUNK_MALLOC_MAX < limit)
limit = PNG_USER_CHUNK_MALLOC_MAX;
# endif
- }
- else
+ /* if (png_ptr->chunk_name == png_IDAT) */
+ if (png_ptr->chunk_name[0] != 73 || png_ptr->chunk_name[1] !=68 ||
+ png_ptr->chunk_name[2] != 65 || png_ptr->chunk_name[3] !=84)
{
+ png_uint_32 idat_limit = PNG_UINT_31_MAX;
size_t row_factor =
(png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
+ 1 + (png_ptr->interlaced? 6: 0));
if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
- limit=PNG_UINT_31_MAX;
+ idat_limit=PNG_UINT_31_MAX;
else
- limit = png_ptr->height * row_factor;
- limit += 6 + 5*(limit/32566+1); /* zlib+deflate overhead */
- limit=limit < PNG_UINT_31_MAX? limit : PNG_UINT_31_MAX;
+ idat_limit = png_ptr->height * row_factor;
+ row_factor = row_factor > 32566? 32566 : row_factor;
+ idat_limit += 6 + 5*(idat_limit/row_factor+1); /* zlib+deflate overhead */
+ idat_limit=idat_limit < PNG_UINT_31_MAX? idat_limit : PNG_UINT_31_MAX;
+ limit = limit < idat_limit? idat_limit : limit;
}
+
if (length > limit)
{
png_debug2(0," length = %lu, limit = %lu",
@@ -2543,7 +2543,6 @@
}
}
-
/* Combines the row recently read in with the existing pixels in the
row. This routine takes care of alpha and transparency if requested.
This routine also handles the two methods of progressive display
