[lbpng14] Avoid potential pointer overflow in png_handle_iTXt(),

png_handle_zTXt(), png_handle_sPLT(), and png_handle_pCAL() (Bug report by John Regehr).
2025-07-10 18:04:09 +02:00 · 2015-11-13 23:02:35 -06:00 · 2015-11-13 23:02:35 -06:00 · 5b948c3e11
commit 5b948c3e11
parent e9fa8b4364
3 changed files with 11 additions and 7 deletions
--- a/4
+++ b/4
@ -1,5 +1,5 @@

-Libpng 1.4.18beta01 - November 13, 2015
+Libpng 1.4.18beta01 - November 14, 2015

 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@ -28,6 +28,8 @@ Other information:
 Changes since the last public release (1.4.17):

 version 1.4.18beta01 [%RDATE%]
+  Avoid potential pointer overflow in png_handle_iTXt(), png_handle_zTXt(),
+    png_handle_sPLT(), and png_handle_pCAL() (Bug report by John Regehr).

 Send comments/corrections/commendations to glennrp at users.sourceforge.net
 or to png-mng-implement at lists.sf.net (subscription required; visit
--- a/4
+++ b/4
@ -3007,7 +3007,9 @@ version 1.4.17rc04 [November 5, 2015]
 version 1.4.17 [November 12, 2015]
  Cleaned up coding style in png_handle_PLTE().

-version 1.4.18beta01 [November 13, 2015]
+version 1.4.18beta01 [November 14, 2015]
+  Avoid potential pointer overflow in png_handle_iTXt(), png_handle_zTXt(),
+    png_handle_sPLT(), and png_handle_pCAL() (Bug report by John Regehr).

 Send comments/corrections/commendations to glennrp at users.sourceforge.net
 or to png-mng-implement at lists.sf.net (subscription required; visit
--- a/pngrutil.c
+++ b/pngrutil.c
@ -1159,7 +1159,7 @@ png_handle_iCCP(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
   /* There should be at least one zero (the compression type byte)
    * following the separator, and we should be on it
    */
-   if ( profile >= png_ptr->chunkdata + slength - 1)
+   if (slength < 1 || profile >= png_ptr->chunkdata + slength - 1)
   {
      png_free(png_ptr, png_ptr->chunkdata);
      png_ptr->chunkdata = NULL;
@ -1297,7 +1297,7 @@ png_handle_sPLT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
   ++entry_start;

   /* A sample depth should follow the separator, and we should be on it  */
-   if (entry_start > (png_bytep)png_ptr->chunkdata + slength - 2)
+   if (slength < 2 || entry_start > (png_bytep)png_ptr->chunkdata + slength - 2)
   {
      png_free(png_ptr, png_ptr->chunkdata);
      png_ptr->chunkdata = NULL;
@ -1771,7 +1771,7 @@ png_handle_pCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)

   /* We need to have at least 12 bytes after the purpose string
      in order to get the parameter information. */
-   if (endptr <= buf + 12)
+   if (slength < 12 || endptr <= buf + 12)
   {
      png_warning(png_ptr, "Invalid pCAL data");
      png_free(png_ptr, png_ptr->chunkdata);
@ -2222,7 +2222,7 @@ png_handle_zTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
      /* Empty loop */ ;

   /* zTXt must have some text after the chunkdataword */
-   if (text >= png_ptr->chunkdata + slength - 2)
+   if (slength < 2 || text >= png_ptr->chunkdata + slength - 2)
   {
      png_warning(png_ptr, "Truncated zTXt chunk");
      png_free(png_ptr, png_ptr->chunkdata);
@ -2348,7 +2348,7 @@ png_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
    * keyword
    */

-   if (lang >= png_ptr->chunkdata + slength - 3)
+   if (slength < 3 || lang >= png_ptr->chunkdata + slength - 3)
   {
      png_warning(png_ptr, "Truncated iTXt chunk");
      png_free(png_ptr, png_ptr->chunkdata);