mewin/libpng
1
0
Fork 0
mirror of https://git.code.sf.net/p/libpng/code.git synced 2025-07-10 18:04:09 +02:00
Code Issues Projects Releases Wiki Activity

[libpng16] Added overflow detection in png_set_sPLT() and png_set_text_2().

Browse Source
This commit is contained in:
Glenn Randers-Pehrson 2013-01-19 08:49:12 -06:00
parent c5c8b542fb
commit 590c8b0987
3 changed files with 56 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
ANNOUNCE
View File

@ -1,5 +1,5 @@
Libpng 1.6.0beta39 - January 17, 2013 Libpng 1.6.0beta39 - January 19, 2013
This is not intended to be a public release. It will be replaced This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version. within a few weeks by a public version or by another test version.
@ -587,10 +587,9 @@ Version 1.6.0beta37 [January 10, 2013]
Fixed conceivable but difficult to repro overflow. Also added two test Fixed conceivable but difficult to repro overflow. Also added two test
programs to generate and test a PNG which should have the problem. programs to generate and test a PNG which should have the problem.
Version 1.6.0beta38 [January 17, 2013] Version 1.6.0beta39 [January 19, 2013]
Corrected previous attempt at overflow detection in png_set_unknown_chunks(). Again corrected attempt at overflow detection in png_set_unknown_chunks().
Added overflow detection in png_set_sPLT() and png_set_text_2().
Version 1.6.0beta39 [January 17, 2013]
=========================================================================== ===========================================================================
NOTICE November 17, 2012: NOTICE November 17, 2012:

7
CHANGES
View File

@ -4340,10 +4340,9 @@ Version 1.6.0beta37 [January 10, 2013]
Fixed conceivable but difficult to repro overflow. Also added two test Fixed conceivable but difficult to repro overflow. Also added two test
programs to generate and test a PNG which should have the problem. programs to generate and test a PNG which should have the problem.
Version 1.6.0beta38 [January 17, 2013] Version 1.6.0beta39 [January 19, 2013]
Corrected previous attempt at overflow detection in png_set_unknown_chunks(). Again corrected attempt at overflow detection in png_set_unknown_chunks().
Added overflow detection in png_set_sPLT() and png_set_text_2().
Version 1.6.0beta39 [January 17, 2013]
=========================================================================== ===========================================================================
NOTICE November 17, 2012: NOTICE November 17, 2012:

77
pngset.c
View File

@ -701,7 +701,22 @@ png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr,
/* Make sure we have enough space in the "text" array in info_struct /* Make sure we have enough space in the "text" array in info_struct
* to hold all of the incoming text_ptr objects. * to hold all of the incoming text_ptr objects.
*
* There were two overflow conditions here, one on the count and one on
* memory. On a 32-bit system the memory limit is critical, while on a
* 64-bit system the count limit is critical. This test defends against
* both.
*/ */
if (num_text < 0 ||
num_text > INT_MAX - info_ptr->num_text - 8 ||
(unsigned int)/*SAFE*/(num_text +/*SAFE*/
info_ptr->num_text + 8) >=
PNG_SIZE_MAX/(sizeof (png_text)))
{
png_warning(png_ptr, "too many text chunks");
return(0);
}
if (info_ptr->num_text + num_text > info_ptr->max_text) if (info_ptr->num_text + num_text > info_ptr->max_text)
{ {
int old_max_text = info_ptr->max_text; int old_max_text = info_ptr->max_text;
@ -980,8 +995,16 @@ png_set_sPLT(png_const_structrp png_ptr,
entries == NULL) entries == NULL)
return; return;
np = png_voidcast(png_sPLT_tp, png_malloc_warn(png_ptr, /* See explanation of this in png_set_text_2(). */
(info_ptr->splt_palettes_num + nentries) * (sizeof (png_sPLT_t)))); if (nentries < 0 ||
nentries > INT_MAX-info_ptr->splt_palettes_num ||
(unsigned int)(nentries + info_ptr->splt_palettes_num) >=
PNG_SIZE_MAX/(sizeof (png_sPLT_t)))
np=NULL;
else
np = png_voidcast(png_sPLT_tp, png_malloc_warn(png_ptr,
(info_ptr->splt_palettes_num + nentries) * (sizeof (png_sPLT_t))));
if (np == NULL) if (np == NULL)
{ {
@ -1086,12 +1109,11 @@ check_location(png_const_structrp png_ptr, int location)
void PNGAPI void PNGAPI
png_set_unknown_chunks(png_const_structrp png_ptr, png_set_unknown_chunks(png_const_structrp png_ptr,
png_inforp info_ptr, png_const_unknown_chunkp unknowns, int num_unknowns_in) png_inforp info_ptr, png_const_unknown_chunkp unknowns, int num_unknowns)
{ {
png_uint_32 num_unknowns;
png_unknown_chunkp np; png_unknown_chunkp np;
if (png_ptr == NULL || info_ptr == NULL || num_unknowns_in <= 0) if (png_ptr == NULL || info_ptr == NULL || num_unknowns <= 0)
return; return;
/* Check for the failure cases where support has been disabled at compile /* Check for the failure cases where support has been disabled at compile
@ -1117,33 +1139,32 @@ png_set_unknown_chunks(png_const_structrp png_ptr,
} }
# endif # endif
/* Prior to 1.6.0 this code used png_malloc_warn, however this meant that /* See the comments in png_set_text_2(). */
* unknown critical chunks could be lost with just a warning resulting in if (num_unknowns < 0 ||
* undefined behavior. Changing to png_malloc fixes this by producing a num_unknowns > INT_MAX-info_ptr->unknown_chunks_num ||
* png_error. The (png_size_t) cast was also removed as it hides a potential (unsigned int)(num_unknowns +
* overflow. info_ptr->unknown_chunks_num) >=
*/ PNG_SIZE_MAX/(sizeof (png_unknown_chunk)))
num_unknowns = (unsigned int)/*SAFE*/num_unknowns_in; np=NULL;
/* There are two overflow conditions, one on the count one on memory, on a else
* 32-bit system the memory limit is critical, on a 64-bit system the count /* Prior to 1.6.0 this code used png_malloc_warn; however, this meant that
* limit. * unknown critical chunks could be lost with just a warning resulting in
*/ * undefined behavior. Changing to png_malloc fixes this by producing a
if (num_unknowns > PNG_UINT_32_MAX - info_ptr->unknown_chunks_num || * png_error. The (png_size_t) cast was also removed as it hides a
num_unknowns + info_ptr->unknown_chunks_num > PNG_SIZE_MAX/(sizeof *np)) * potential overflow.
{
/* This is a benign read error (user limits are disabled and we are about
* to overflow 2^32 chunks) and an application write error.
*/ */
png_chunk_report(png_ptr, "too many unknown chunks", np = png_voidcast(png_unknown_chunkp, png_malloc(png_ptr,
PNG_CHUNK_WRITE_ERROR); (info_ptr->unknown_chunks_num + num_unknowns) *
(sizeof (png_unknown_chunk))));
if (np == NULL)
{
png_warning(png_ptr,
"Out of memory while processing unknown chunk");
return; return;
} }
np = png_voidcast(png_unknown_chunkp, png_malloc(png_ptr,
(info_ptr->unknown_chunks_num + num_unknowns) *
(sizeof (png_unknown_chunk))));
memcpy(np, info_ptr->unknown_chunks, memcpy(np, info_ptr->unknown_chunks,
info_ptr->unknown_chunks_num * (sizeof (png_unknown_chunk))); info_ptr->unknown_chunks_num * (sizeof (png_unknown_chunk)));
@ -1515,7 +1536,7 @@ void PNGAPI
png_set_chunk_cache_max (png_structrp png_ptr, png_uint_32 user_chunk_cache_max) png_set_chunk_cache_max (png_structrp png_ptr, png_uint_32 user_chunk_cache_max)
{ {
if (png_ptr) if (png_ptr)
png_ptr->user_chunk_cache_max = user_chunk_cache_max; png_ptr->user_chunk_cache_max = (int) user_chunk_cache_max;
} }
/* This function was added to libpng 1.4.1 */ /* This function was added to libpng 1.4.1 */