[libpng14] Fixed the recently reported 1's complement security issue by

replacing the value that is illegal in the PNG spec, in both signed and
unsigned values, with 0. Illegal unsigned values (anything greater than or equal
to  0x80000000) can still pass through, but since these are not illegal
in ANSI-C (unlike 0x80000000 in the signed case) the checking that
occurs later can catch them (John Bowler).

Safely convert num_bytes to a png_byte in png_set_sig_bytes() (Robert
Seacord).

ANNOUNCE

@@ -1,5 +1,5 @@
 
-Libpng 1.4.17beta01 - July 30, 2015
+Libpng 1.4.17beta01 - August 19, 2015
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -27,7 +27,7 @@ Other information:
 
 Changes since the last public release (1.4.16):
 
-version 1.4.17beta01 [July 30, 2015]
+version 1.4.17beta01 [August 19, 2015]
   Fix typecast in a png_debug2() statement in png_set_text_2() to
     avoid a compiler warning in PNG_DEBUG builds.
   Avoid Coverity issues 80855, 80856, and 80857 (PRINTF_ARG_MISMATCH)
@@ -39,6 +39,15 @@ version 1.4.17beta01 [July 30, 2015]
     because usleep() is deprecated (port from libpng16).
   Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c
   Fixed uninitialized variable in contrib/gregbook/rpng2-x.c
+  Fixed some bad links in the man page.
+  Safely convert num_bytes to a png_byte in png_set_sig_bytes() (Robert
+    Seacord).
+  Fixed the recently reported 1's complement security issue by replacing
+    the value that is illegal in the PNG spec, in both signed and unsigned
+    values, with 0. Illegal unsigned values (anything greater than or equal
+    to  0x80000000) can still pass through, but since these are not illegal
+    in ANSI-C (unlike 0x80000000 in the signed case) the checking that
+    occurs later can catch them (John Bowler).
 
 Send comments/corrections/commendations to glennrp at users.sourceforge.net
 or to png-mng-implement at lists.sf.net (subscription required; visit

CHANGES

@@ -2957,7 +2957,7 @@ version 1.4.16rc01 [March 4, 2015]
 version 1.4.16 [March 19, 2015]
   No changes.
 
-version 1.4.17beta01 [July 30, 2015]
+version 1.4.17beta01 [August 19, 2015]
   Fix typecast in a png_debug2() statement in png_set_text_2() to
     avoid a compiler warning in PNG_DEBUG builds.
   Avoid Coverity issues 80855, 80856, and 80857 (PRINTF_ARG_MISMATCH)
@@ -2969,6 +2969,15 @@ version 1.4.17beta01 [July 30, 2015]
     because usleep() is deprecated (port from libpng16).
   Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c
   Fixed uninitialized variable in contrib/gregbook/rpng2-x.c
+  Fixed some bad links in the man page.
+  Safely convert num_bytes to a png_byte in png_set_sig_bytes() (Robert
+    Seacord).
+  Fixed the recently reported 1's complement security issue by replacing
+    the value that is illegal in the PNG spec, in both signed and unsigned
+    values, with 0. Illegal unsigned values (anything greater than or equal
+    to  0x80000000) can still pass through, but since these are not illegal
+    in ANSI-C (unlike 0x80000000 in the signed case) the checking that
+    occurs later can catch them (John Bowler).
 
 Send comments/corrections/commendations to glennrp at users.sourceforge.net
 or to png-mng-implement at lists.sf.net (subscription required; visit

libpng-1.4.17beta01.txt

@@ -1,6 +1,6 @@
 libpng.txt - A description on how to use and modify libpng
 
- libpng version 1.4.17beta01 - August 11, 2015
+ libpng version 1.4.17beta01 - August 19, 2015
  Updated and distributed by Glenn Randers-Pehrson
  <glennrp at users.sourceforge.net>
  Copyright (c) 1998-2014 Glenn Randers-Pehrson
@@ -11,7 +11,7 @@ libpng.txt - A description on how to use and modify libpng
 
  Based on:
 
- libpng versions 0.97, January 1998, through 1.4.17beta01 - August 11, 2015
+ libpng versions 0.97, January 1998, through 1.4.17beta01 - August 19, 2015
  Updated and distributed by Glenn Randers-Pehrson
  Copyright (c) 1998-2014 Glenn Randers-Pehrson
 
@@ -3284,7 +3284,7 @@ Other rules can be inferred by inspecting the libpng source.
 
 XIII. Y2K Compliance in libpng
 
-August 11, 2015
+August 19, 2015
 
 Since the PNG Development group is an ad-hoc body, we can't make
 an official declaration.

libpng.3

@@ -1,4 +1,4 @@
-.TH LIBPNG 3 "August 11, 2015"
+.TH LIBPNG 3 "August 19, 2015"
 .SH NAME
 libpng \- Portable Network Graphics (PNG) Reference Library 1.4.17beta01
 .SH SYNOPSIS
@@ -442,7 +442,7 @@ Following is a copy of the libpng-manual.txt file that accompanies libpng.
 .SH LIBPNG.TXT
 libpng.txt - A description on how to use and modify libpng
 
- libpng version 1.4.17beta01 - August 11, 2015
+ libpng version 1.4.17beta01 - August 19, 2015
  Updated and distributed by Glenn Randers-Pehrson
  <glennrp at users.sourceforge.net>
  Copyright (c) 1998-2014 Glenn Randers-Pehrson
@@ -453,7 +453,7 @@ libpng.txt - A description on how to use and modify libpng
 
  Based on:
 
- libpng versions 0.97, January 1998, through 1.4.17beta01 - August 11, 2015
+ libpng versions 0.97, January 1998, through 1.4.17beta01 - August 19, 2015
  Updated and distributed by Glenn Randers-Pehrson
  Copyright (c) 1998-2014 Glenn Randers-Pehrson
 
@@ -3726,7 +3726,7 @@ Other rules can be inferred by inspecting the libpng source.
 
 .SH XIII. Y2K Compliance in libpng
 
-August 11, 2015
+August 19, 2015
 
 Since the PNG Development group is an ad-hoc body, we can't make
 an official declaration.
@@ -4009,7 +4009,7 @@ possible without all of you.
 
 Thanks to Frank J. T. Wojcik for helping with the documentation.
 
-Libpng version 1.4.17beta01 - August 11, 2015:
+Libpng version 1.4.17beta01 - August 19, 2015:
 Initially created in 1995 by Guy Eric Schalnat, then of Group 42, Inc.
 Currently maintained by Glenn Randers-Pehrson (glennrp at users.sourceforge.net).
 
@@ -4032,7 +4032,7 @@ this sentence.
 
 This code is released under the libpng license.
 
-libpng versions 1.0.7, July 1, 2000, through 1.4.17beta01, August 11, 2015, are
+libpng versions 1.0.7, July 1, 2000, through 1.4.17beta01, August 19, 2015, are
 Copyright (c) 2000-2002, 2004, 2006-2015 Glenn Randers-Pehrson, and are
 distributed according to the same disclaimer and license as libpng-1.0.6
 with the following individuals added to the list of Contributing Authors:
@@ -4124,7 +4124,7 @@ the additional disclaimers inserted at version 1.0.7.
 
 Glenn Randers-Pehrson
 glennrp at users.sourceforge.net
-August 11, 2015
+August 19, 2015
 
 .\" end of man page
 

png.c

@@ -24,20 +24,24 @@ typedef version_1_4_17beta01 Your_png_h_is_not_version_1_4_17beta01;
  * stream we can set num_bytes = 8 so that libpng will not attempt to read
  * or write any of the magic bytes before it starts on the IHDR.
  */
-
 #ifdef PNG_READ_SUPPORTED
 void PNGAPI
 png_set_sig_bytes(png_structp png_ptr, int num_bytes)
 {
+   unsigned int nb = (unsigned int)num_bytes;
+
    png_debug(1, "in png_set_sig_bytes");
 
    if (png_ptr == NULL)
       return;
 
-   if (num_bytes > 8)
+   if (num_bytes < 0)
+      nb = 0;
+
+   if (nb > 8)
       png_error(png_ptr, "Too many bytes for PNG signature");
 
-   png_ptr->sig_bytes = (png_byte)(num_bytes < 0 ? 0 : num_bytes);
+   png_ptr->sig_bytes = (png_byte)nb;
 }
 
 /* Checks whether the supplied bytes match the PNG signature.  We allow
@@ -220,6 +224,8 @@ png_info_init_3(png_infopp ptr_ptr, png_size_t png_info_struct_size)
       png_destroy_struct(info_ptr);
       info_ptr = (png_infop)png_create_struct(PNG_STRUCT_INFO);
       *ptr_ptr = info_ptr;
+      if (info_ptr == NULL)
+         return;
    }
 
    /* Set everything to 0 */
@@ -551,13 +557,13 @@ png_get_copyright(png_const_structp png_ptr)
 #else
 #ifdef __STDC__
    return ((png_charp) PNG_STRING_NEWLINE \
-     "libpng version 1.4.17beta01 - May 9, 2015" PNG_STRING_NEWLINE \
+     "libpng version 1.4.17beta01 - August 19, 2015" PNG_STRING_NEWLINE \
      "Copyright (c) 1998-2015 Glenn Randers-Pehrson" PNG_STRING_NEWLINE \
      "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
      "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
      PNG_STRING_NEWLINE);
 #else
-      return ((png_charp) "libpng version 1.4.17beta01 - May 9, 2015\
+      return ((png_charp) "libpng version 1.4.17beta01 - August 19, 2015\
       Copyright (c) 1998-2015 Glenn Randers-Pehrson\
       Copyright (c) 1996-1997 Andreas Dilger\
       Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.");

png.h

@@ -1,7 +1,7 @@
 
 /* png.h - header file for PNG reference library
  *
- * libpng version 1.4.17beta01, July 13, 2015
+ * libpng version 1.4.17beta01, August 19, 2015
  *
  * Copyright (c) 1998-2015 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
@@ -12,7 +12,7 @@
  * Authors and maintainers:
  *  libpng versions 0.71, May 1995, through 0.88, January 1996: Guy Schalnat
  *  libpng versions 0.89c, June 1996, through 0.96, May 1997: Andreas Dilger
- *  libpng versions 0.97, January 1998, through 1.4.17beta01, July 13, 2015: Glenn
+ *  libpng versions 0.97, January 1998, through 1.4.17beta01, August 19, 2015: Glenn
  *  See also "Contributing Authors", below.
  *
  * Note about libpng version numbers:
@@ -215,7 +215,7 @@
  *
  * This code is released under the libpng license.
  *
- * libpng versions 1.0.7, July 1, 2000, through 1.4.17beta01, July 13, 2015, are
+ * libpng versions 1.0.7, July 1, 2000, through 1.4.17beta01, August 19, 2015, are
  * Copyright (c) 2000-2002, 2004, 2006-2015 Glenn Randers-Pehrson, and are
  * distributed according to the same disclaimer and license as libpng-1.0.6
  * with the following individuals added to the list of Contributing Authors:
@@ -322,7 +322,7 @@
  * Y2K compliance in libpng:
  * =========================
  *
- *    July 13, 2015
+ *    August 19, 2015
  *
  *    Since the PNG Development group is an ad-hoc body, we can't make
  *    an official declaration.
@@ -386,7 +386,7 @@
 /* Version information for png.h - this should match the version in png.c */
 #define PNG_LIBPNG_VER_STRING "1.4.17beta01"
 #define PNG_HEADER_VERSION_STRING \
-   " libpng version 1.4.17beta01 - July 13, 2015\n"
+   " libpng version 1.4.17beta01 - August 19, 2015\n"
 
 #define PNG_LIBPNG_VER_SONUM   14
 #define PNG_LIBPNG_VER_DLLNUM  14
@@ -2650,7 +2650,7 @@ PNG_EXPORT(png_bytep,png_get_io_chunk_name)
 
 #  define png_get_int_32(buf) \
      ((png_int_32)((*(buf) & 0x80) \
-      ? -((png_int_32)((png_get_uint_32(buf) ^ 0xffffffffL) + 1)) \
+      ? -((png_int_32)(((png_get_uint_32(buf)^0xffffffffU)+1U)&0x7fffffffU)) \
       : (png_int_32)png_get_uint_32(buf)))
 #else
 PNG_EXPORT(png_uint_32,png_get_uint_32) PNGARG((png_bytep buf));

pngrutil.c

@@ -41,8 +41,13 @@ png_uint_32 (PNGAPI
 png_get_uint_32)(png_bytep buf)
 {
    png_uint_32 uval = png_get_uint_32(buf);
-   if ((uval & 0x80000000L) == 0) /* non-negative */
+   if ((uval & 0x80000000) == 0) /* no overflow */
-      return uval;
+       return -(png_int_32)uval;
+   /* The following has to be safe; this function only gets called on PNG data
+    * and if we get here that data is invalid.  0 is the most safe value and
+    * if not then an attacker would surely just generate a PNG with 0 instead.
+    */
+   return 0;
 
    uval = (uval ^ 0xffffffffL) + 1;  /* 2's complement: -x = ~x+1 */
    return -(png_int_32)uval;