mewin/libpng
1
0
Fork 0
mirror of https://git.code.sf.net/p/libpng/code.git synced 2025-07-10 18:04:09 +02:00
Code Issues Projects Releases Wiki Activity

[libpng16] Fixed conceivable but difficult to repro overflow. Also added

Browse Source 
two test programs to generate and test a PNG which should have the problem.
This commit is contained in:
John Bowler
2013-01-10 10:55:34 -06:00
committed by Glenn Randers-Pehrson
parent 37109a9f5b
commit 1c6e22a360
6 changed files with 194 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
contrib/libtests/fakepng.c Normal file
View File

@@ -0,0 +1,57 @@
/* Fake a PNG - just write it out directly. */
#include <stdio.h>
#include <zlib.h> /* for crc32 */
void
put_uLong(uLong val)
{
putchar(val >> 24);
putchar(val >> 16);
putchar(val >> 8);
putchar(val >> 0);
}
void
put_chunk(const unsigned char *chunk, uInt length)
{
uLong crc;
put_uLong(length-4); /* Exclude the tag */
fwrite(chunk, length, 1, stdout);
crc = crc32(0, Z_NULL, 0);
put_uLong(crc32(crc, chunk, length));
}
const unsigned char signature[] =
{
137, 80, 78, 71, 13, 10, 26, 10
};
const unsigned char IHDR[] =
{
73, 72, 68, 82, /* IHDR */
0, 0, 0, 1, /* width */
0, 0, 0, 1, /* height */
1, /* bit depth */
0, /* color type: greyscale */
0, /* compression method */
0, /* filter method */
0 /* interlace method: none */
};
const unsigned char unknown[] =
{
'u', 'n', 'K', 'n' /* "unKn" - private safe to copy */
};
int
main(void)
{
fwrite(signature, sizeof signature, 1, stdout);
put_chunk(IHDR, sizeof IHDR);
for(;;)
put_chunk(unknown, sizeof unknown);
}

104
contrib/libtests/readpng.c Normal file
View File

@@ -0,0 +1,104 @@
/* readpng.c
*
* Copyright (c) 2013 John Cunningham Bowler
*
* Last changed in libpng 1.6.0 [(PENDING RELEASE)]
*
* This code is released under the libpng license.
* For conditions of distribution and use, see the disclaimer
* and license in png.h
*
* Load an arbitrary number of PNG files (from the command line, or, if there
* are no arguments on the command line, from stdin) then run a time test by
* reading each file by row. The test does nothing with the read result and
* does no transforms. The only output is a time as a floating point number of
* seconds with 9 decimal digits.
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#if (defined HAVE_CONFIG_H) && !(defined PNG_NO_CONFIG_H)
# include <config.h>
#endif
/* Define the following to use this test against your installed libpng, rather
* than the one being built here:
*/
#ifdef PNG_FREESTANDING_TESTS
# include <png.h>
#else
# include "../../png.h"
#endif
static int
read_png(FILE *fp)
{
png_structp png_ptr = png_create_read_struct(PNG_LIBPNG_VER_STRING,0,0,0);
png_infop info_ptr = NULL;
png_bytep row = NULL, display = NULL;
if (png_ptr == NULL)
return 0;
if (setjmp(png_jmpbuf(png_ptr)))
{
png_destroy_read_struct(&png_ptr, &info_ptr, NULL);
if (row != NULL) free(row);
if (display != NULL) free(display);
return 0;
}
png_init_io(png_ptr, fp);
info_ptr = png_create_info_struct(png_ptr);
if (info_ptr == NULL)
png_error(png_ptr, "OOM allocating info structure");
png_set_keep_unknown_chunks(png_ptr, PNG_HANDLE_CHUNK_ALWAYS, NULL, 0);
png_read_info(png_ptr, info_ptr);
{
png_size_t rowbytes = png_get_rowbytes(png_ptr, info_ptr);
row = malloc(rowbytes);
display = malloc(rowbytes);
if (row == NULL || display == NULL)
png_error(png_ptr, "OOM allocating row buffers");
{
png_uint_32 height = png_get_image_height(png_ptr, info_ptr);
int passes = png_set_interlace_handling(png_ptr);
int pass;
png_start_read_image(png_ptr);
for (pass = 0; pass < passes; ++pass)
{
png_uint_32 y = height;
/* NOTE: this trashes the row each time; interlace handling won't
* work, but this avoids memory thrashing for speed testing.
*/
while (y-- > 0)
png_read_row(png_ptr, row, display);
}
}
}
/* Make sure to read to the end of the file: */
png_read_end(png_ptr, info_ptr);
png_destroy_read_struct(&png_ptr, &info_ptr, NULL);
free(row);
free(display);
return 1;
}
int
main(void)
{
/* Exit code 0 on success. */
return !read_png(stdin);
}