diff --git a/ANNOUNCE b/ANNOUNCE index d15744f9c..cc394c17e 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,5 +1,5 @@ -Libpng 1.4.17beta01 - July 30, 2015 +Libpng 1.4.17beta01 - August 19, 2015 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -27,7 +27,7 @@ Other information: Changes since the last public release (1.4.16): -version 1.4.17beta01 [July 30, 2015] +version 1.4.17beta01 [August 19, 2015] Fix typecast in a png_debug2() statement in png_set_text_2() to avoid a compiler warning in PNG_DEBUG builds. Avoid Coverity issues 80855, 80856, and 80857 (PRINTF_ARG_MISMATCH) @@ -39,6 +39,15 @@ version 1.4.17beta01 [July 30, 2015] because usleep() is deprecated (port from libpng16). Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c Fixed uninitialized variable in contrib/gregbook/rpng2-x.c + Fixed some bad links in the man page. + Safely convert num_bytes to a png_byte in png_set_sig_bytes() (Robert + Seacord). + Fixed the recently reported 1's complement security issue by replacing + the value that is illegal in the PNG spec, in both signed and unsigned + values, with 0. Illegal unsigned values (anything greater than or equal + to 0x80000000) can still pass through, but since these are not illegal + in ANSI-C (unlike 0x80000000 in the signed case) the checking that + occurs later can catch them (John Bowler). Send comments/corrections/commendations to glennrp at users.sourceforge.net or to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/CHANGES b/CHANGES index 69a1d6389..d523c04e0 100644 --- a/CHANGES +++ b/CHANGES @@ -2957,7 +2957,7 @@ version 1.4.16rc01 [March 4, 2015] version 1.4.16 [March 19, 2015] No changes. -version 1.4.17beta01 [July 30, 2015] +version 1.4.17beta01 [August 19, 2015] Fix typecast in a png_debug2() statement in png_set_text_2() to avoid a compiler warning in PNG_DEBUG builds. Avoid Coverity issues 80855, 80856, and 80857 (PRINTF_ARG_MISMATCH) @@ -2969,6 +2969,15 @@ version 1.4.17beta01 [July 30, 2015] because usleep() is deprecated (port from libpng16). Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c Fixed uninitialized variable in contrib/gregbook/rpng2-x.c + Fixed some bad links in the man page. + Safely convert num_bytes to a png_byte in png_set_sig_bytes() (Robert + Seacord). + Fixed the recently reported 1's complement security issue by replacing + the value that is illegal in the PNG spec, in both signed and unsigned + values, with 0. Illegal unsigned values (anything greater than or equal + to 0x80000000) can still pass through, but since these are not illegal + in ANSI-C (unlike 0x80000000 in the signed case) the checking that + occurs later can catch them (John Bowler). Send comments/corrections/commendations to glennrp at users.sourceforge.net or to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/libpng-1.4.17beta01.txt b/libpng-1.4.17beta01.txt index 9d05017c9..511fc9a54 100644 --- a/libpng-1.4.17beta01.txt +++ b/libpng-1.4.17beta01.txt @@ -1,6 +1,6 @@ libpng.txt - A description on how to use and modify libpng - libpng version 1.4.17beta01 - August 11, 2015 + libpng version 1.4.17beta01 - August 19, 2015 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2014 Glenn Randers-Pehrson @@ -11,7 +11,7 @@ libpng.txt - A description on how to use and modify libpng Based on: - libpng versions 0.97, January 1998, through 1.4.17beta01 - August 11, 2015 + libpng versions 0.97, January 1998, through 1.4.17beta01 - August 19, 2015 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2014 Glenn Randers-Pehrson @@ -3284,7 +3284,7 @@ Other rules can be inferred by inspecting the libpng source. XIII. Y2K Compliance in libpng -August 11, 2015 +August 19, 2015 Since the PNG Development group is an ad-hoc body, we can't make an official declaration. diff --git a/libpng.3 b/libpng.3 index 48474a23f..195621c35 100644 --- a/libpng.3 +++ b/libpng.3 @@ -1,4 +1,4 @@ -.TH LIBPNG 3 "August 11, 2015" +.TH LIBPNG 3 "August 19, 2015" .SH NAME libpng \- Portable Network Graphics (PNG) Reference Library 1.4.17beta01 .SH SYNOPSIS @@ -442,7 +442,7 @@ Following is a copy of the libpng-manual.txt file that accompanies libpng. .SH LIBPNG.TXT libpng.txt - A description on how to use and modify libpng - libpng version 1.4.17beta01 - August 11, 2015 + libpng version 1.4.17beta01 - August 19, 2015 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2014 Glenn Randers-Pehrson @@ -453,7 +453,7 @@ libpng.txt - A description on how to use and modify libpng Based on: - libpng versions 0.97, January 1998, through 1.4.17beta01 - August 11, 2015 + libpng versions 0.97, January 1998, through 1.4.17beta01 - August 19, 2015 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2014 Glenn Randers-Pehrson @@ -3726,7 +3726,7 @@ Other rules can be inferred by inspecting the libpng source. .SH XIII. Y2K Compliance in libpng -August 11, 2015 +August 19, 2015 Since the PNG Development group is an ad-hoc body, we can't make an official declaration. @@ -4009,7 +4009,7 @@ possible without all of you. Thanks to Frank J. T. Wojcik for helping with the documentation. -Libpng version 1.4.17beta01 - August 11, 2015: +Libpng version 1.4.17beta01 - August 19, 2015: Initially created in 1995 by Guy Eric Schalnat, then of Group 42, Inc. Currently maintained by Glenn Randers-Pehrson (glennrp at users.sourceforge.net). @@ -4032,7 +4032,7 @@ this sentence. This code is released under the libpng license. -libpng versions 1.0.7, July 1, 2000, through 1.4.17beta01, August 11, 2015, are +libpng versions 1.0.7, July 1, 2000, through 1.4.17beta01, August 19, 2015, are Copyright (c) 2000-2002, 2004, 2006-2015 Glenn Randers-Pehrson, and are distributed according to the same disclaimer and license as libpng-1.0.6 with the following individuals added to the list of Contributing Authors: @@ -4124,7 +4124,7 @@ the additional disclaimers inserted at version 1.0.7. Glenn Randers-Pehrson glennrp at users.sourceforge.net -August 11, 2015 +August 19, 2015 .\" end of man page diff --git a/png.c b/png.c index de7298fd1..51f314efb 100644 --- a/png.c +++ b/png.c @@ -24,20 +24,24 @@ typedef version_1_4_17beta01 Your_png_h_is_not_version_1_4_17beta01; * stream we can set num_bytes = 8 so that libpng will not attempt to read * or write any of the magic bytes before it starts on the IHDR. */ - #ifdef PNG_READ_SUPPORTED void PNGAPI png_set_sig_bytes(png_structp png_ptr, int num_bytes) { + unsigned int nb = (unsigned int)num_bytes; + png_debug(1, "in png_set_sig_bytes"); if (png_ptr == NULL) return; - if (num_bytes > 8) + if (num_bytes < 0) + nb = 0; + + if (nb > 8) png_error(png_ptr, "Too many bytes for PNG signature"); - png_ptr->sig_bytes = (png_byte)(num_bytes < 0 ? 0 : num_bytes); + png_ptr->sig_bytes = (png_byte)nb; } /* Checks whether the supplied bytes match the PNG signature. We allow @@ -220,6 +224,8 @@ png_info_init_3(png_infopp ptr_ptr, png_size_t png_info_struct_size) png_destroy_struct(info_ptr); info_ptr = (png_infop)png_create_struct(PNG_STRUCT_INFO); *ptr_ptr = info_ptr; + if (info_ptr == NULL) + return; } /* Set everything to 0 */ @@ -551,13 +557,13 @@ png_get_copyright(png_const_structp png_ptr) #else #ifdef __STDC__ return ((png_charp) PNG_STRING_NEWLINE \ - "libpng version 1.4.17beta01 - May 9, 2015" PNG_STRING_NEWLINE \ + "libpng version 1.4.17beta01 - August 19, 2015" PNG_STRING_NEWLINE \ "Copyright (c) 1998-2015 Glenn Randers-Pehrson" PNG_STRING_NEWLINE \ "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \ "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \ PNG_STRING_NEWLINE); #else - return ((png_charp) "libpng version 1.4.17beta01 - May 9, 2015\ + return ((png_charp) "libpng version 1.4.17beta01 - August 19, 2015\ Copyright (c) 1998-2015 Glenn Randers-Pehrson\ Copyright (c) 1996-1997 Andreas Dilger\ Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc."); diff --git a/png.h b/png.h index c3bbe8110..aa5c4ddf2 100644 --- a/png.h +++ b/png.h @@ -1,7 +1,7 @@ /* png.h - header file for PNG reference library * - * libpng version 1.4.17beta01, July 13, 2015 + * libpng version 1.4.17beta01, August 19, 2015 * * Copyright (c) 1998-2015 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) @@ -12,7 +12,7 @@ * Authors and maintainers: * libpng versions 0.71, May 1995, through 0.88, January 1996: Guy Schalnat * libpng versions 0.89c, June 1996, through 0.96, May 1997: Andreas Dilger - * libpng versions 0.97, January 1998, through 1.4.17beta01, July 13, 2015: Glenn + * libpng versions 0.97, January 1998, through 1.4.17beta01, August 19, 2015: Glenn * See also "Contributing Authors", below. * * Note about libpng version numbers: @@ -215,7 +215,7 @@ * * This code is released under the libpng license. * - * libpng versions 1.0.7, July 1, 2000, through 1.4.17beta01, July 13, 2015, are + * libpng versions 1.0.7, July 1, 2000, through 1.4.17beta01, August 19, 2015, are * Copyright (c) 2000-2002, 2004, 2006-2015 Glenn Randers-Pehrson, and are * distributed according to the same disclaimer and license as libpng-1.0.6 * with the following individuals added to the list of Contributing Authors: @@ -322,7 +322,7 @@ * Y2K compliance in libpng: * ========================= * - * July 13, 2015 + * August 19, 2015 * * Since the PNG Development group is an ad-hoc body, we can't make * an official declaration. @@ -386,7 +386,7 @@ /* Version information for png.h - this should match the version in png.c */ #define PNG_LIBPNG_VER_STRING "1.4.17beta01" #define PNG_HEADER_VERSION_STRING \ - " libpng version 1.4.17beta01 - July 13, 2015\n" + " libpng version 1.4.17beta01 - August 19, 2015\n" #define PNG_LIBPNG_VER_SONUM 14 #define PNG_LIBPNG_VER_DLLNUM 14 @@ -2650,7 +2650,7 @@ PNG_EXPORT(png_bytep,png_get_io_chunk_name) # define png_get_int_32(buf) \ ((png_int_32)((*(buf) & 0x80) \ - ? -((png_int_32)((png_get_uint_32(buf) ^ 0xffffffffL) + 1)) \ + ? -((png_int_32)(((png_get_uint_32(buf)^0xffffffffU)+1U)&0x7fffffffU)) \ : (png_int_32)png_get_uint_32(buf))) #else PNG_EXPORT(png_uint_32,png_get_uint_32) PNGARG((png_bytep buf)); diff --git a/pngrutil.c b/pngrutil.c index c5fc80468..25b8b88a3 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -41,8 +41,13 @@ png_uint_32 (PNGAPI png_get_uint_32)(png_bytep buf) { png_uint_32 uval = png_get_uint_32(buf); - if ((uval & 0x80000000L) == 0) /* non-negative */ - return uval; + if ((uval & 0x80000000) == 0) /* no overflow */ + return -(png_int_32)uval; + /* The following has to be safe; this function only gets called on PNG data + * and if we get here that data is invalid. 0 is the most safe value and + * if not then an attacker would surely just generate a PNG with 0 instead. + */ + return 0; uval = (uval ^ 0xffffffffL) + 1; /* 2's complement: -x = ~x+1 */ return -(png_int_32)uval;