From 41de766f12f2cf1009656537036585735991eda3 Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Wed, 19 Aug 2015 12:47:00 -0500 Subject: [PATCH] [libpng14] Fixed the recently reported 1's complement security issue by replacing the value that is illegal in the PNG spec, in both signed and unsigned values, with 0. Illegal unsigned values (anything greater than or equal to 0x80000000) can still pass through, but since these are not illegal in ANSI-C (unlike 0x80000000 in the signed case) the checking that occurs later can catch them (John Bowler). Safely convert num_bytes to a png_byte in png_set_sig_bytes() (Robert Seacord). --- ANNOUNCE | 13 +++++++++++-- CHANGES | 11 ++++++++++- libpng-1.4.17beta01.txt | 6 +++--- libpng.3 | 14 +++++++------- png.c | 16 +++++++++++----- png.h | 12 ++++++------ pngrutil.c | 9 +++++++-- 7 files changed, 55 insertions(+), 26 deletions(-) diff --git a/ANNOUNCE b/ANNOUNCE index d15744f9c..cc394c17e 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,5 +1,5 @@ -Libpng 1.4.17beta01 - July 30, 2015 +Libpng 1.4.17beta01 - August 19, 2015 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -27,7 +27,7 @@ Other information: Changes since the last public release (1.4.16): -version 1.4.17beta01 [July 30, 2015] +version 1.4.17beta01 [August 19, 2015] Fix typecast in a png_debug2() statement in png_set_text_2() to avoid a compiler warning in PNG_DEBUG builds. Avoid Coverity issues 80855, 80856, and 80857 (PRINTF_ARG_MISMATCH) @@ -39,6 +39,15 @@ version 1.4.17beta01 [July 30, 2015] because usleep() is deprecated (port from libpng16). Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c Fixed uninitialized variable in contrib/gregbook/rpng2-x.c + Fixed some bad links in the man page. + Safely convert num_bytes to a png_byte in png_set_sig_bytes() (Robert + Seacord). + Fixed the recently reported 1's complement security issue by replacing + the value that is illegal in the PNG spec, in both signed and unsigned + values, with 0. Illegal unsigned values (anything greater than or equal + to 0x80000000) can still pass through, but since these are not illegal + in ANSI-C (unlike 0x80000000 in the signed case) the checking that + occurs later can catch them (John Bowler). Send comments/corrections/commendations to glennrp at users.sourceforge.net or to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/CHANGES b/CHANGES index 69a1d6389..d523c04e0 100644 --- a/CHANGES +++ b/CHANGES @@ -2957,7 +2957,7 @@ version 1.4.16rc01 [March 4, 2015] version 1.4.16 [March 19, 2015] No changes. -version 1.4.17beta01 [July 30, 2015] +version 1.4.17beta01 [August 19, 2015] Fix typecast in a png_debug2() statement in png_set_text_2() to avoid a compiler warning in PNG_DEBUG builds. Avoid Coverity issues 80855, 80856, and 80857 (PRINTF_ARG_MISMATCH) @@ -2969,6 +2969,15 @@ version 1.4.17beta01 [July 30, 2015] because usleep() is deprecated (port from libpng16). Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c Fixed uninitialized variable in contrib/gregbook/rpng2-x.c + Fixed some bad links in the man page. + Safely convert num_bytes to a png_byte in png_set_sig_bytes() (Robert + Seacord). + Fixed the recently reported 1's complement security issue by replacing + the value that is illegal in the PNG spec, in both signed and unsigned + values, with 0. Illegal unsigned values (anything greater than or equal + to 0x80000000) can still pass through, but since these are not illegal + in ANSI-C (unlike 0x80000000 in the signed case) the checking that + occurs later can catch them (John Bowler). Send comments/corrections/commendations to glennrp at users.sourceforge.net or to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/libpng-1.4.17beta01.txt b/libpng-1.4.17beta01.txt index 9d05017c9..511fc9a54 100644 --- a/libpng-1.4.17beta01.txt +++ b/libpng-1.4.17beta01.txt @@ -1,6 +1,6 @@ libpng.txt - A description on how to use and modify libpng - libpng version 1.4.17beta01 - August 11, 2015 + libpng version 1.4.17beta01 - August 19, 2015 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2014 Glenn Randers-Pehrson @@ -11,7 +11,7 @@ libpng.txt - A description on how to use and modify libpng Based on: - libpng versions 0.97, January 1998, through 1.4.17beta01 - August 11, 2015 + libpng versions 0.97, January 1998, through 1.4.17beta01 - August 19, 2015 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2014 Glenn Randers-Pehrson @@ -3284,7 +3284,7 @@ Other rules can be inferred by inspecting the libpng source. XIII. Y2K Compliance in libpng -August 11, 2015 +August 19, 2015 Since the PNG Development group is an ad-hoc body, we can't make an official declaration. diff --git a/libpng.3 b/libpng.3 index 48474a23f..195621c35 100644 --- a/libpng.3 +++ b/libpng.3 @@ -1,4 +1,4 @@ -.TH LIBPNG 3 "August 11, 2015" +.TH LIBPNG 3 "August 19, 2015" .SH NAME libpng \- Portable Network Graphics (PNG) Reference Library 1.4.17beta01 .SH SYNOPSIS @@ -442,7 +442,7 @@ Following is a copy of the libpng-manual.txt file that accompanies libpng. .SH LIBPNG.TXT libpng.txt - A description on how to use and modify libpng - libpng version 1.4.17beta01 - August 11, 2015 + libpng version 1.4.17beta01 - August 19, 2015 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2014 Glenn Randers-Pehrson @@ -453,7 +453,7 @@ libpng.txt - A description on how to use and modify libpng Based on: - libpng versions 0.97, January 1998, through 1.4.17beta01 - August 11, 2015 + libpng versions 0.97, January 1998, through 1.4.17beta01 - August 19, 2015 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2014 Glenn Randers-Pehrson @@ -3726,7 +3726,7 @@ Other rules can be inferred by inspecting the libpng source. .SH XIII. Y2K Compliance in libpng -August 11, 2015 +August 19, 2015 Since the PNG Development group is an ad-hoc body, we can't make an official declaration. @@ -4009,7 +4009,7 @@ possible without all of you. Thanks to Frank J. T. Wojcik for helping with the documentation. -Libpng version 1.4.17beta01 - August 11, 2015: +Libpng version 1.4.17beta01 - August 19, 2015: Initially created in 1995 by Guy Eric Schalnat, then of Group 42, Inc. Currently maintained by Glenn Randers-Pehrson (glennrp at users.sourceforge.net). @@ -4032,7 +4032,7 @@ this sentence. This code is released under the libpng license. -libpng versions 1.0.7, July 1, 2000, through 1.4.17beta01, August 11, 2015, are +libpng versions 1.0.7, July 1, 2000, through 1.4.17beta01, August 19, 2015, are Copyright (c) 2000-2002, 2004, 2006-2015 Glenn Randers-Pehrson, and are distributed according to the same disclaimer and license as libpng-1.0.6 with the following individuals added to the list of Contributing Authors: @@ -4124,7 +4124,7 @@ the additional disclaimers inserted at version 1.0.7. Glenn Randers-Pehrson glennrp at users.sourceforge.net -August 11, 2015 +August 19, 2015 .\" end of man page diff --git a/png.c b/png.c index de7298fd1..51f314efb 100644 --- a/png.c +++ b/png.c @@ -24,20 +24,24 @@ typedef version_1_4_17beta01 Your_png_h_is_not_version_1_4_17beta01; * stream we can set num_bytes = 8 so that libpng will not attempt to read * or write any of the magic bytes before it starts on the IHDR. */ - #ifdef PNG_READ_SUPPORTED void PNGAPI png_set_sig_bytes(png_structp png_ptr, int num_bytes) { + unsigned int nb = (unsigned int)num_bytes; + png_debug(1, "in png_set_sig_bytes"); if (png_ptr == NULL) return; - if (num_bytes > 8) + if (num_bytes < 0) + nb = 0; + + if (nb > 8) png_error(png_ptr, "Too many bytes for PNG signature"); - png_ptr->sig_bytes = (png_byte)(num_bytes < 0 ? 0 : num_bytes); + png_ptr->sig_bytes = (png_byte)nb; } /* Checks whether the supplied bytes match the PNG signature. We allow @@ -220,6 +224,8 @@ png_info_init_3(png_infopp ptr_ptr, png_size_t png_info_struct_size) png_destroy_struct(info_ptr); info_ptr = (png_infop)png_create_struct(PNG_STRUCT_INFO); *ptr_ptr = info_ptr; + if (info_ptr == NULL) + return; } /* Set everything to 0 */ @@ -551,13 +557,13 @@ png_get_copyright(png_const_structp png_ptr) #else #ifdef __STDC__ return ((png_charp) PNG_STRING_NEWLINE \ - "libpng version 1.4.17beta01 - May 9, 2015" PNG_STRING_NEWLINE \ + "libpng version 1.4.17beta01 - August 19, 2015" PNG_STRING_NEWLINE \ "Copyright (c) 1998-2015 Glenn Randers-Pehrson" PNG_STRING_NEWLINE \ "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \ "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \ PNG_STRING_NEWLINE); #else - return ((png_charp) "libpng version 1.4.17beta01 - May 9, 2015\ + return ((png_charp) "libpng version 1.4.17beta01 - August 19, 2015\ Copyright (c) 1998-2015 Glenn Randers-Pehrson\ Copyright (c) 1996-1997 Andreas Dilger\ Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc."); diff --git a/png.h b/png.h index c3bbe8110..aa5c4ddf2 100644 --- a/png.h +++ b/png.h @@ -1,7 +1,7 @@ /* png.h - header file for PNG reference library * - * libpng version 1.4.17beta01, July 13, 2015 + * libpng version 1.4.17beta01, August 19, 2015 * * Copyright (c) 1998-2015 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) @@ -12,7 +12,7 @@ * Authors and maintainers: * libpng versions 0.71, May 1995, through 0.88, January 1996: Guy Schalnat * libpng versions 0.89c, June 1996, through 0.96, May 1997: Andreas Dilger - * libpng versions 0.97, January 1998, through 1.4.17beta01, July 13, 2015: Glenn + * libpng versions 0.97, January 1998, through 1.4.17beta01, August 19, 2015: Glenn * See also "Contributing Authors", below. * * Note about libpng version numbers: @@ -215,7 +215,7 @@ * * This code is released under the libpng license. * - * libpng versions 1.0.7, July 1, 2000, through 1.4.17beta01, July 13, 2015, are + * libpng versions 1.0.7, July 1, 2000, through 1.4.17beta01, August 19, 2015, are * Copyright (c) 2000-2002, 2004, 2006-2015 Glenn Randers-Pehrson, and are * distributed according to the same disclaimer and license as libpng-1.0.6 * with the following individuals added to the list of Contributing Authors: @@ -322,7 +322,7 @@ * Y2K compliance in libpng: * ========================= * - * July 13, 2015 + * August 19, 2015 * * Since the PNG Development group is an ad-hoc body, we can't make * an official declaration. @@ -386,7 +386,7 @@ /* Version information for png.h - this should match the version in png.c */ #define PNG_LIBPNG_VER_STRING "1.4.17beta01" #define PNG_HEADER_VERSION_STRING \ - " libpng version 1.4.17beta01 - July 13, 2015\n" + " libpng version 1.4.17beta01 - August 19, 2015\n" #define PNG_LIBPNG_VER_SONUM 14 #define PNG_LIBPNG_VER_DLLNUM 14 @@ -2650,7 +2650,7 @@ PNG_EXPORT(png_bytep,png_get_io_chunk_name) # define png_get_int_32(buf) \ ((png_int_32)((*(buf) & 0x80) \ - ? -((png_int_32)((png_get_uint_32(buf) ^ 0xffffffffL) + 1)) \ + ? -((png_int_32)(((png_get_uint_32(buf)^0xffffffffU)+1U)&0x7fffffffU)) \ : (png_int_32)png_get_uint_32(buf))) #else PNG_EXPORT(png_uint_32,png_get_uint_32) PNGARG((png_bytep buf)); diff --git a/pngrutil.c b/pngrutil.c index c5fc80468..25b8b88a3 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -41,8 +41,13 @@ png_uint_32 (PNGAPI png_get_uint_32)(png_bytep buf) { png_uint_32 uval = png_get_uint_32(buf); - if ((uval & 0x80000000L) == 0) /* non-negative */ - return uval; + if ((uval & 0x80000000) == 0) /* no overflow */ + return -(png_int_32)uval; + /* The following has to be safe; this function only gets called on PNG data + * and if we get here that data is invalid. 0 is the most safe value and + * if not then an attacker would surely just generate a PNG with 0 instead. + */ + return 0; uval = (uval ^ 0xffffffffL) + 1; /* 2's complement: -x = ~x+1 */ return -(png_int_32)uval;