[libpng14] Moved png_check_keyword() from pngwutil.c to pngset.c

2025-07-10 18:04:09 +02:00 · 2015-12-13 16:00:58 -06:00 · 2015-12-13 16:00:58 -06:00 · 4c13318d38
commit 4c13318d38
parent 38a9ec94cb
4 changed files with 140 additions and 138 deletions
--- a/1
+++ b/1
@ -29,6 +29,7 @@ Changes since the last public release (1.4.18):
 version 1.4.19 [December 11, 2015]
  Fixed an out-of-range read in png_check_keyword() (Bug report from
    Qixue Xiao, CVE-2015-8540).
  Moved png_check_keyword() from pngwutil.c to pngset.c
 Send comments/corrections/commendations to glennrp at users.sourceforge.net
 or to png-mng-implement at lists.sf.net (subscription required; visit
--- a/pngpriv.h
+++ b/pngpriv.h
@ -1,9 +1,9 @@
 /* pngpriv.h - private declarations for use inside libpng
 *
- * libpng version 1.4.19beta01 - December 11, 2015
+ * libpng version 1.4.19beta02 - December 13, 2015
 * For conditions of distribution and use, see copyright notice in png.h
- * Copyright (c) 1998-2014 Glenn Randers-Pehrson
+ * Copyright (c) 1998-2002,2004,2006-2014 Glenn Randers-Pehrson
 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
 *
@ -956,6 +956,9 @@ PNG_EXTERN void *png_far_to_near PNGARG((png_structp png_ptr,png_voidp ptr,
 #define png_debug2(l, m, p1, p2)
 #endif
 PNG_EXTERN png_size_t png_check_keyword PNGARG((png_structp png_ptr,
    png_charp key, png_charpp new_key));
 /* Maintainer: Put new private prototypes here ^ and in libpngpf.3 */
 #ifdef __cplusplus
--- a/pngset.c
+++ b/pngset.c
@ -1,7 +1,7 @@
 /* pngset.c - storage of image information into info struct
 *
- * Last changed in libpng 1.4.17 [November 12, 2015]
+ * Copyright (c) 1998-2002,2004,2006-2015 Glenn Randers-Pehrson
 * Copyright (c) 1998-2015 Glenn Randers-Pehrson
 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@ -1025,7 +1025,6 @@ png_set_unknown_chunk_location(png_structp png_ptr, png_infop info_ptr,
 }
 #endif
 #ifdef PNG_MNG_FEATURES_SUPPORTED
 png_uint_32 PNGAPI
 png_permit_mng_features(png_structp png_ptr, png_uint_32 mng_features)
@ -1138,7 +1137,6 @@ png_set_invalid(png_structp png_ptr, png_infop info_ptr, int mask)
 }
 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
 /* This function was added to libpng 1.2.6 */
 void PNGAPI
@ -1188,4 +1186,135 @@ png_set_benign_errors(png_structp png_ptr, int allowed)
      png_ptr->flags &= ~PNG_FLAG_BENIGN_ERRORS_WARN;
 }
 #endif /* PNG_BENIGN_ERRORS_SUPPORTED */
-#endif /* PNG_READ_SUPPORTED || PNG_WRITE_SUPPORTED */
+
 #if defined(PNG_TEXT_SUPPORTED) || defined(PNG_pCAL_SUPPORTED) || \
    defined(PNG_iCCP_SUPPORTED) || defined(PNG_sPLT_SUPPORTED)
 /* Check that the tEXt or zTXt keyword is valid per PNG 1.0 specification,
 * and if invalid, correct the keyword rather than discarding the entire
 * chunk.  The PNG 1.0 specification requires keywords 1-79 characters in
 * length, forbids leading or trailing whitespace, multiple internal spaces,
 * and the non-break space (0x80) from ISO 8859-1.  Returns keyword length.
 *
 * The new_key is allocated to hold the corrected keyword and must be freed
 * by the calling routine.  This avoids problems with trying to write to
 * static keywords without having to have duplicate copies of the strings.
 */
 png_size_t /* PRIVATE */
 png_check_keyword(png_structp png_ptr, png_charp key, png_charpp new_key)
 {
   png_size_t key_len;
   png_charp kp, dp;
   int kflag;
   int kwarn=0;
   png_debug(1, "in png_check_keyword");
   *new_key = NULL;
   if (key == NULL || (key_len = png_strlen(key)) == 0)
   {
      png_warning(png_ptr, "zero length keyword");
      return ((png_size_t)0);
   }
   png_debug1(2, "Keyword to be checked is '%s'", key);
   *new_key = (png_charp)png_malloc_warn(png_ptr, (png_uint_32)(key_len + 2));
   if (*new_key == NULL)
   {
      png_warning(png_ptr, "Out of memory while procesing keyword");
      return ((png_size_t)0);
   }
   /* Replace non-printing characters with a blank and print a warning */
   for (kp = key, dp = *new_key; *kp != '\0'; kp++, dp++)
   {
      if ((png_byte)*kp < 0x20 ||
         ((png_byte)*kp > 0x7E && (png_byte)*kp < 0xA1))
      {
 #ifdef PNG_STDIO_SUPPORTED
         char msg[40];
         png_snprintf(msg, 40,
           "invalid keyword character 0x%02X", (png_byte)*kp);
         png_warning(png_ptr, msg);
 #else
         png_warning(png_ptr, "invalid character in keyword");
 #endif
         *dp = ' ';
      }
      else
      {
         *dp = *kp;
      }
   }
   *dp = '\0';
   /* Remove any trailing white space. */
   kp = *new_key + key_len - 1;
   if (*kp == ' ')
   {
      png_warning(png_ptr, "trailing spaces removed from keyword");
      while (key_len && *kp == ' ')
      {
         *(kp--) = '\0';
         key_len--;
      }
   }
   /* Remove any leading white space. */
   kp = *new_key;
   if (*kp == ' ')
   {
      png_warning(png_ptr, "leading spaces removed from keyword");
      while (*kp == ' ')
      {
         kp++;
         key_len--;
      }
   }
   png_debug1(2, "Checking for multiple internal spaces in '%s'", kp);
   /* Remove multiple internal spaces. */
   for (kflag = 0, dp = *new_key; *kp != '\0'; kp++)
   {
      if (*kp == ' ' && kflag == 0)
      {
         *(dp++) = *kp;
         kflag = 1;
      }
      else if (*kp == ' ')
      {
         key_len--;
         kwarn=1;
      }
      else
      {
         *(dp++) = *kp;
         kflag = 0;
      }
   }
   *dp = '\0';
   if (kwarn)
      png_warning(png_ptr, "extra interior spaces removed from keyword");
   if (key_len == 0)
   {
      png_free(png_ptr, *new_key);
      png_warning(png_ptr, "Zero length keyword");
   }
   if (key_len > 79)
   {
      png_warning(png_ptr, "keyword length must be 1 - 79 characters");
      (*new_key)[79] = '\0';
      key_len = 79;
   }
   return (key_len);
 }
 #endif /* TEXT || pCAL) || iCCP || sPLT */
 #endif /* READ || WRITE */
--- a/pngwutil.c
+++ b/pngwutil.c
@ -2,7 +2,7 @@
 /* pngwutil.c - utilities to write a PNG file
 *
 * Last changed in libpng 1.4.17 [November 12, 2015]
- * Copyright (c) 1998-2015 Glenn Randers-Pehrson
+ * Copyright (c) 1998-2002,2004,2006-2015 Glenn Randers-Pehrson
 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
 *
@ -1234,137 +1234,6 @@ png_write_hIST(png_structp png_ptr, png_uint_16p hist, int num_hist)
 }
 #endif
 #if defined(PNG_WRITE_TEXT_SUPPORTED) || defined(PNG_WRITE_pCAL_SUPPORTED) || \
    defined(PNG_WRITE_iCCP_SUPPORTED) || defined(PNG_WRITE_sPLT_SUPPORTED)
 /* Check that the tEXt or zTXt keyword is valid per PNG 1.0 specification,
 * and if invalid, correct the keyword rather than discarding the entire
 * chunk.  The PNG 1.0 specification requires keywords 1-79 characters in
 * length, forbids leading or trailing whitespace, multiple internal spaces,
 * and the non-break space (0x80) from ISO 8859-1.  Returns keyword length.
 *
 * The new_key is allocated to hold the corrected keyword and must be freed
 * by the calling routine.  This avoids problems with trying to write to
 * static keywords without having to have duplicate copies of the strings.
 */
 png_size_t /* PRIVATE */
 png_check_keyword(png_structp png_ptr, png_charp key, png_charpp new_key)
 {
   png_size_t key_len;
   png_charp kp, dp;
   int kflag;
   int kwarn=0;
   png_debug(1, "in png_check_keyword");
   *new_key = NULL;
   if (key == NULL || (key_len = png_strlen(key)) == 0)
   {
      png_warning(png_ptr, "zero length keyword");
      return ((png_size_t)0);
   }
   png_debug1(2, "Keyword to be checked is '%s'", key);
   *new_key = (png_charp)png_malloc_warn(png_ptr, (png_uint_32)(key_len + 2));
   if (*new_key == NULL)
   {
      png_warning(png_ptr, "Out of memory while procesing keyword");
      return ((png_size_t)0);
   }
   /* Replace non-printing characters with a blank and print a warning */
   for (kp = key, dp = *new_key; *kp != '\0'; kp++, dp++)
   {
      if ((png_byte)*kp < 0x20 ||
         ((png_byte)*kp > 0x7E && (png_byte)*kp < 0xA1))
      {
 #ifdef PNG_STDIO_SUPPORTED
         char msg[40];
         png_snprintf(msg, 40,
           "invalid keyword character 0x%02X", (png_byte)*kp);
         png_warning(png_ptr, msg);
 #else
         png_warning(png_ptr, "invalid character in keyword");
 #endif
         *dp = ' ';
      }
      else
      {
         *dp = *kp;
      }
   }
   *dp = '\0';
   /* Remove any trailing white space. */
   kp = *new_key + key_len - 1;
   if (*kp == ' ')
   {
      png_warning(png_ptr, "trailing spaces removed from keyword");
      while (key_len && *kp == ' ')
      {
         *(kp--) = '\0';
         key_len--;
      }
   }
   /* Remove any leading white space. */
   kp = *new_key;
   if (*kp == ' ')
   {
      png_warning(png_ptr, "leading spaces removed from keyword");
      while (*kp == ' ')
      {
         kp++;
         key_len--;
      }
   }
   png_debug1(2, "Checking for multiple internal spaces in '%s'", kp);
   /* Remove multiple internal spaces. */
   for (kflag = 0, dp = *new_key; *kp != '\0'; kp++)
   {
      if (*kp == ' ' && kflag == 0)
      {
         *(dp++) = *kp;
         kflag = 1;
      }
      else if (*kp == ' ')
      {
         key_len--;
         kwarn=1;
      }
      else
      {
         *(dp++) = *kp;
         kflag = 0;
      }
   }
   *dp = '\0';
   if (kwarn)
      png_warning(png_ptr, "extra interior spaces removed from keyword");
   if (key_len == 0)
   {
      png_free(png_ptr, *new_key);
      png_warning(png_ptr, "Zero length keyword");
   }
   if (key_len > 79)
   {
      png_warning(png_ptr, "keyword length must be 1 - 79 characters");
      (*new_key)[79] = '\0';
      key_len = 79;
   }
   return (key_len);
 }
 #endif
 #ifdef PNG_WRITE_tEXt_SUPPORTED
 /* Write a tEXt chunk */
 void /* PRIVATE */