[libng15] Prevent writing over-length PLTE chunk (Cosmin Truta).

2025-07-10 18:04:09 +02:00 · 2015-10-29 09:56:19 -05:00 · 2015-10-29 09:56:19 -05:00 · 3a990c93f4
commit 3a990c93f4
parent 39f8f0e6da
5 changed files with 33 additions and 17 deletions
--- a/5
+++ b/5
@ -1,5 +1,5 @@

-Libpng 1.5.24beta03 - October 15, 2015
+Libpng 1.5.24beta03 - October 29, 2015

 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@ -52,7 +52,8 @@ Version 1.5.24beta02 [October 15, 2015]
  Merged pngvalid.c with version 1.6.19.
  Added sPLT support to pngtest.c

-Version 1.5.24beta03 [October 15, 2015]
+Version 1.5.24beta03 [October 29, 2015]
+  Prevent writing over-length PLTE chunk (Cosmin Truta).

 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
--- a/6
+++ b/6
@ -3754,7 +3754,8 @@ Version 1.5.7beta04 [November 17, 2011]
 Version 1.5.7beta05 [November 25, 2011]
  Removed "zTXt" from warning in generic chunk decompression function.
  Validate time settings passed to pngset() and png_convert_to_rfc1123()
-    (Frank Busse).
+    (Frank Busse). Note: This prevented CVE-2015-7981 from affecting
+    libpng-1.5.7 and later.
  Added MINGW support to CMakeLists.txt
  Reject invalid compression flag or method when reading the iTXt chunk.
  Backed out 'simplified' API changes. The API seems too complex and there
@ -4398,7 +4399,8 @@ Version 1.5.24beta02 [October 15, 2015]
  Merged pngvalid.c with version 1.6.19.
  Added sPLT support to pngtest.c

-Version 1.5.24beta03 [October 15, 2015]
+Version 1.5.24beta03 [October 29, 2015]
+  Prevent writing over-length PLTE chunk (Cosmin Truta).

 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
--- a/libpng-manual.txt
+++ b/libpng-manual.txt
@ -1,6 +1,6 @@
 Libpng-manual.txt - A description on how to use and modify libpng

- libpng version 1.5.24beta03 - October 15, 2015
+ libpng version 1.5.24beta03 - October 29, 2015
 Updated and distributed by Glenn Randers-Pehrson
 <glennrp at users.sourceforge.net>
 Copyright (c) 1998-2014 Glenn Randers-Pehrson
@ -11,7 +11,7 @@ Libpng-manual.txt - A description on how to use and modify libpng

 Based on:

- libpng versions 0.97, January 1998, through 1.5.24beta03 - October 15, 2015
+ libpng versions 0.97, January 1998, through 1.5.24beta03 - October 29, 2015
 Updated and distributed by Glenn Randers-Pehrson
 Copyright (c) 1998-2014 Glenn Randers-Pehrson

@ -4256,6 +4256,11 @@ limits are now
 The png_set_option() function (and the "options" member of the png struct) was
 added to libpng-1.5.15.

+Starting with libpng-1.5.24, attempting to write an over-length PLTE chunk
+is an error. Previously this requirement of the PNG specification was not
+enforced. Libpng continues to accept over-length PLTE chunks when reading,
+but does not make any use of the extra entries.
+
 The library now supports a complete fixed point implementation and can
 thus be used on systems that have no floating point support or very
 limited or slow support.  Previously gamma correction, an essential part
@ -4501,7 +4506,7 @@ Other rules can be inferred by inspecting the libpng source.

 XIV. Y2K Compliance in libpng

-October 15, 2015
+October 29, 2015

 Since the PNG Development group is an ad-hoc body, we can't make
 an official declaration.
--- a/libpng.3
+++ b/libpng.3
@ -1,4 +1,4 @@
-.TH LIBPNG 3 "October 15, 2015"
+.TH LIBPNG 3 "October 29, 2015"
 .SH NAME
 libpng \- Portable Network Graphics (PNG) Reference Library 1.5.24beta03
 .SH SYNOPSIS
@ -496,7 +496,7 @@ Following is a copy of the libpng-manual.txt file that accompanies libpng.
 .SH LIBPNG.TXT
 Libpng-manual.txt - A description on how to use and modify libpng

- libpng version 1.5.24beta03 - October 15, 2015
+ libpng version 1.5.24beta03 - October 29, 2015
 Updated and distributed by Glenn Randers-Pehrson
 <glennrp at users.sourceforge.net>
 Copyright (c) 1998-2014 Glenn Randers-Pehrson
@ -507,7 +507,7 @@ Libpng-manual.txt - A description on how to use and modify libpng

 Based on:

- libpng versions 0.97, January 1998, through 1.5.24beta03 - October 15, 2015
+ libpng versions 0.97, January 1998, through 1.5.24beta03 - October 29, 2015
 Updated and distributed by Glenn Randers-Pehrson
 Copyright (c) 1998-2014 Glenn Randers-Pehrson

@ -4752,6 +4752,11 @@ limits are now
 The png_set_option() function (and the "options" member of the png struct) was
 added to libpng-1.5.15.

+Starting with libpng-1.5.24, attempting to write an over-length PLTE chunk
+is an error. Previously this requirement of the PNG specification was not
+enforced. Libpng continues to accept over-length PLTE chunks when reading,
+but does not make any use of the extra entries.
+
 The library now supports a complete fixed point implementation and can
 thus be used on systems that have no floating point support or very
 limited or slow support.  Previously gamma correction, an essential part
@ -4997,7 +5002,7 @@ Other rules can be inferred by inspecting the libpng source.

 .SH XIV. Y2K Compliance in libpng

-October 15, 2015
+October 29, 2015

 Since the PNG Development group is an ad-hoc body, we can't make
 an official declaration.
@ -5310,7 +5315,7 @@ possible without all of you.

 Thanks to Frank J. T. Wojcik for helping with the documentation.

-Libpng version 1.5.24beta03 - October 15, 2015:
+Libpng version 1.5.24beta03 - October 29, 2015:
 Initially created in 1995 by Guy Eric Schalnat, then of Group 42, Inc.
 Currently maintained by Glenn Randers-Pehrson (glennrp at users.sourceforge.net).

@ -5333,7 +5338,7 @@ this sentence.

 This code is released under the libpng license.

-libpng versions 1.0.7, July 1, 2000, through 1.5.24beta03, October 15, 2015, are
+libpng versions 1.0.7, July 1, 2000, through 1.5.24beta03, October 29, 2015, are
 Copyright (c) 2000-2002, 2004, 2006-2015 Glenn Randers-Pehrson, and are
 distributed according to the same disclaimer and license as libpng-1.0.6
 with the following individuals added to the list of Contributing Authors:
@ -5426,7 +5431,7 @@ the additional disclaimers inserted at version 1.0.7.

 Glenn Randers-Pehrson
 glennrp at users.sourceforge.net
-October 15, 2015
+October 29, 2015

 .\" end of man page

--- a/pngwutil.c
+++ b/pngwutil.c
@ -1,7 +1,7 @@

 /* pngwutil.c - utilities to write a PNG file
 *
- * Last changed in libpng 1.5.23 [July 23, 2015]
+ * Last changed in libpng 1.5.24 [(PENDING RELEASE)]
 * Copyright (c) 1998-2015 Glenn Randers-Pehrson
 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@ -896,17 +896,20 @@ void /* PRIVATE */
 png_write_PLTE(png_structp png_ptr, png_const_colorp palette,
    png_uint_32 num_pal)
 {
-   png_uint_32 i;
+   png_uint_32 max_num_pal, i;
   png_const_colorp pal_ptr;
   png_byte buf[3];

   png_debug(1, "in png_write_PLTE");

+   max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+      (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+
   if ((
 #ifdef PNG_MNG_FEATURES_SUPPORTED
       !(png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) &&
 #endif
-       num_pal == 0) || num_pal > 256)
+       num_pal == 0) || num_pal > max_num_pal)
   {
      if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
      {