mewin/libpng
1
0
Fork 0
mirror of https://git.code.sf.net/p/libpng/code.git synced 2025-07-10 18:04:09 +02:00
Code Issues Projects Releases Wiki Activity

[libpng17] Removed user limits from pngfix. Also pass NULL pointers to

Browse Source 
png_read_row to skip the unnecessary row de-interlace stuff.
This commit is contained in:
John Bowler 2014-12-24 17:45:38 -06:00 committed by Glenn Randers-Pehrson
parent 13f025c29a
commit 56850aba35
3 changed files with 35 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ANNOUNCE
View File

@ -673,10 +673,12 @@ Version 1.7.0beta44 [December 23, 2014]
Removed extraneous handling of PNG_SAFE_LIMITS_SUPPORTED from pngconf.h Removed extraneous handling of PNG_SAFE_LIMITS_SUPPORTED from pngconf.h
Version 1.7.0beta45 [December 24, 2014] Version 1.7.0beta45 [December 24, 2014]
Eliminated the PNG_SAFE_LIMITS macro and set default limits in Eliminated the PNG_SAFE_LIMITS macro and restored the 1-million-column
pnglibconf.dfa, that can be reset by the user at build time or run time. and 1-million-row default limits in pnglibconf.dfa, that can be reset
This provides a more robust defense against DOS and as-yet undiscovered by the user at build time or run time. This provides a more robust
overflows. defense against DOS and as-yet undiscovered overflows.
Removed user limits from pngfix. Also pass NULL pointers to
png_read_row to skip the unnecessary row de-interlace stuff.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

10
CHANGES
View File

@ -4962,10 +4962,12 @@ Version 1.7.0beta44 [December 23, 2014]
Removed extraneous handling of PNG_SAFE_LIMITS_SUPPORTED from pngconf.h Removed extraneous handling of PNG_SAFE_LIMITS_SUPPORTED from pngconf.h
Version 1.7.0beta45 [December 24, 2014] Version 1.7.0beta45 [December 24, 2014]
Eliminated the PNG_SAFE_LIMITS macro and set default limits in Eliminated the PNG_SAFE_LIMITS macro and restored the 1-million-column
pnglibconf.dfa, that can be reset by the user at build time or run time. and 1-million-row default limits in pnglibconf.dfa, that can be reset
This provides a more robust defense against DOS and as-yet undiscovered by the user at build time or run time. This provides a more robust
overflows. defense against DOS and as-yet undiscovered overflows.
Removed user limits from pngfix. Also pass NULL pointers to
png_read_row to skip the unnecessary row de-interlace stuff.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

29
contrib/tools/pngfix.c
View File

@ -3577,7 +3577,6 @@ read_png(struct control *control)
{ {
png_structp png_ptr; png_structp png_ptr;
png_infop info_ptr = NULL; png_infop info_ptr = NULL;
volatile png_bytep row = NULL, display = NULL;
volatile int rc; volatile int rc;
png_ptr = png_create_read_struct(PNG_LIBPNG_VER_STRING, control, png_ptr = png_create_read_struct(PNG_LIBPNG_VER_STRING, control,
@ -3594,6 +3593,16 @@ read_png(struct control *control)
rc = setjmp(control->file.jmpbuf); rc = setjmp(control->file.jmpbuf);
if (rc == 0) if (rc == 0)
{ {
# ifdef PNG_SET_USER_LIMITS_SUPPORTED
/* Remove any limits on the size of PNG files that can be read,
* without this we may reject files based on built-in safety
* limits.
*/
png_set_user_limits(png_ptr, 0x7fffffff, 0x7fffffff);
png_set_chunk_cache_max(png_ptr, 0);
png_set_chunk_malloc_max(png_ptr, 0);
# endif
png_set_read_fn(png_ptr, control, read_callback); png_set_read_fn(png_ptr, control, read_callback);
info_ptr = png_create_info_struct(png_ptr); info_ptr = png_create_info_struct(png_ptr);
@ -3605,15 +3614,6 @@ read_png(struct control *control)
png_read_info(png_ptr, info_ptr); png_read_info(png_ptr, info_ptr);
{
png_size_t rowbytes = png_get_rowbytes(png_ptr, info_ptr);
row = png_voidcast(png_byte*, malloc(rowbytes));
display = png_voidcast(png_byte*, malloc(rowbytes));
if (row == NULL || display == NULL)
png_error(png_ptr, "OOM allocating row buffers");
{ {
png_uint_32 height = png_get_image_height(png_ptr, info_ptr); png_uint_32 height = png_get_image_height(png_ptr, info_ptr);
int passes = png_set_interlace_handling(png_ptr); int passes = png_set_interlace_handling(png_ptr);
@ -3625,12 +3625,11 @@ read_png(struct control *control)
{ {
png_uint_32 y = height; png_uint_32 y = height;
/* NOTE: this trashes the row each time; interlace handling won't /* NOTE: this skips asking libpng to return either version of
* work, but this avoids memory thrashing for speed testing. * the image row, but libpng still reads the rows.
*/ */
while (y-- > 0) while (y-- > 0)
png_read_row(png_ptr, row, display); png_read_row(png_ptr, NULL, NULL);
}
} }
} }
@ -3642,8 +3641,6 @@ read_png(struct control *control)
} }
png_destroy_read_struct(&png_ptr, &info_ptr, NULL); png_destroy_read_struct(&png_ptr, &info_ptr, NULL);
if (row != NULL) free(row);
if (display != NULL) free(display);
return rc; return rc;
} }