[libpng15] Revised the SAFE_LIMITS feature to be the same as the feature in

libpng16.  Added information about the new limits in the manual.

ANNOUNCE

@@ -1,5 +1,5 @@
 
-Libpng 1.5.10beta02 - February 24, 2012
+Libpng 1.5.10beta01 - February 24, 2012
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -9,20 +9,20 @@ Files available for download:
 Source files with LF line endings (for Unix/Linux) and with a
 "configure" script
 
-   1.5.10beta02.tar.xz (LZMA-compressed, recommended)
-   1.5.10beta02.tar.gz
-   1.5.10beta02.tar.bz2
+   1.5.10beta01.tar.xz (LZMA-compressed, recommended)
+   1.5.10beta01.tar.gz
+   1.5.10beta01.tar.bz2
 
 Source files with CRLF line endings (for Windows), without the
 "configure" script
 
-   lp1510b02.7z  (LZMA-compressed, recommended)
-   lp1510b02.zip
+   lp1510b01.7z  (LZMA-compressed, recommended)
+   lp1510b01.zip
 
 Other information:
 
-   1.5.10beta02-README.txt
-   1.5.10beta02-LICENSE.txt
+   1.5.10beta01-README.txt
+   1.5.10beta01-LICENSE.txt
 
 Changes since the last public release (1.5.9):
 
@@ -37,13 +37,9 @@ Version 1.5.10beta01 [February 24, 2012]
   Fixed bug with png_handle_hIST with odd chunk length (Frank Busse).
   Added PNG_SAFE_LIMITS feature to pnglibconf.dfa and code in pngconf.h
     to reset the user limits to safe ones if PNG_SAFE_LIMITS is defined.
-    To enable, use PNG_COPTS=-DPNG_SAFE_LIMITS on the configure command
-    or put #define PNG_SAFE_LIMITS_SUPPORTED in pnglibconf.h.
-
-Version 1.5.10beta02 [February 24, 2012]
-  Revised pngconf.h to always set the "safe" limits when
-    PNG_SAFE_LIMITS_SUPPORTED is defined, even if pnglibconf.h has
-    been edited to remove the limit definitions.
+    To enable, use "CPPFLAGS=-DPNG_SAFE_LIMITS_SUPPORTED=" on the configure
+    command or put "#define PNG_SAFE_LIMITS_SUPPORTED" in pnglibconf.h.
+  Revised the SAFE_LIMITS feature to be the same as the feature in libpng16.
   Added information about the new limits in the manual.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net:

CHANGES

@@ -3822,13 +3822,9 @@ Version 1.5.10beta01 [February 24, 2012]
   Fixed bug with png_handle_hIST with odd chunk length (Frank Busse).
   Added PNG_SAFE_LIMITS feature to pnglibconf.dfa and code in pngconf.h
     to reset the user limits to safe ones if PNG_SAFE_LIMITS is defined.
-    To enable, use PNG_COPTS=-DPNG_SAFE_LIMITS on the configure command
-    or put #define PNG_SAFE_LIMITS_SUPPORTED in pnglibconf.h.
-
-Version 1.5.10beta02 [February 24, 2012]
-  Revised pngconf.h to always set the "safe" limits when
-    PNG_SAFE_LIMITS_SUPPORTED is defined, even if pnglibconf.h has
-    been edited to remove the limit definitions.
+    To enable, use "CPPFLAGS=-DPNG_SAFE_LIMITS_SUPPORTED=" on the configure
+    command or put "#define PNG_SAFE_LIMITS_SUPPORTED" in pnglibconf.h.
+  Revised the SAFE_LIMITS feature to be the same as the feature in libpng16.
   Added information about the new limits in the manual.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net

Makefile.am

@@ -153,11 +153,11 @@ SYMBOL_CFLAGS = -DPNGLIB_LIBNAME='PNG@PNGLIB_MAJOR@@PNGLIB_MINOR@_0'\
 	mv dfn3.out $@
 
 # The .dfn file for pnglibconf.h is machine generated
-pnglibconf.dfn: scripts/pnglibconf.dfa scripts/options.awk pngconf.h
+pnglibconf.dfn: scripts/pnglibconf.dfa scripts/options.awk pngconf.h pngusr.dfa
 	rm -f $@ dfn?.out
 	$(AWK) -f ${srcdir}/scripts/options.awk out=dfn1.out version=search\
 	    ${srcdir}/pngconf.h ${srcdir}/scripts/pnglibconf.dfa\
-	    $(DFA_XTRA) 1>&2
+ 	    ${srcdir}/pngusr.dfa $(DFA_XTRA) 1>&2
 	$(AWK) -f ${srcdir}/scripts/options.awk out=dfn2.out dfn1.out 1>&2
 	rm dfn1.out
 	mv dfn2.out $@

libpng-manual.txt

@@ -1,6 +1,6 @@
 libpng-manual.txt - A description on how to use and modify libpng
 
- libpng version 1.5.10beta02 - February 24, 2012
+ libpng version 1.5.10beta01 - February 24, 2012
  Updated and distributed by Glenn Randers-Pehrson
  <glennrp at users.sourceforge.net>
  Copyright (c) 1998-2011 Glenn Randers-Pehrson
@@ -11,7 +11,7 @@ libpng-manual.txt - A description on how to use and modify libpng
 
  Based on:
 
- libpng versions 0.97, January 1998, through 1.5.10beta02 - February 24, 2012
+ libpng versions 0.97, January 1998, through 1.5.10beta01 - February 24, 2012
  Updated and distributed by Glenn Randers-Pehrson
  Copyright (c) 1998-2011 Glenn Randers-Pehrson
 
@@ -4261,11 +4261,10 @@ that it could be used to override them.  Now this function will reduce or
 increase the limits.
 
 Starting in libpng-1.5.10, the user limits can be set en masse with the
-configuration option PNG_SAFE_LIMITS.  If this option is enabled, then
-the limits in pnglibconf.h are ignored and a set of "safe" limits is
-applied in pngconf.h.  These can be overridden by application calls
-to png_set_user_limits(), png_set_user_chunk_cache_max(), and/or
-png_set_user_malloc_max() that increase or decrease the limits.  Also,
+configuration option PNG_SAFE_LIMITS_SUPPORTED.  If this option is enabled,
+a set of "safe" limits is applied in pngpriv.h.  These can be overridden by
+application calls to png_set_user_limits(), png_set_user_chunk_cache_max(),
+and/or png_set_user_malloc_max() that increase or decrease the limits.  Also,
 in libpng-1.5.10 the default width and height limits were increased
 from 1,000,000 to 0x7ffffff (i.e., made unlimited).  Therefore, the
 limits are now
@@ -4273,7 +4272,7 @@ limits are now
    png_user_width_max        0x7fffffff    1,000,000
    png_user_height_max       0x7fffffff    1,000,000
    png_user_chunk_cache_max  0 (unlimited)   128
-   png_user_chunk_malloc_max 0 (unlimited) 4,000,000
+   png_user_chunk_malloc_max 0 (unlimited) 8,000,000
 
 B. Changes to the build and configuration of libpng
 
@@ -4594,7 +4593,7 @@ Since the PNG Development group is an ad-hoc body, we can't make
 an official declaration.
 
 This is your unofficial assurance that libpng from version 0.71 and
-upward through 1.5.10beta02 are Y2K compliant.  It is my belief that earlier
+upward through 1.5.10beta01 are Y2K compliant.  It is my belief that earlier
 versions were also Y2K compliant.
 
 Libpng only has three year fields.  One is a 2-byte unsigned integer that

libpng.3

@@ -1,6 +1,6 @@
 .TH LIBPNG 3 "February 24, 2012"
 .SH NAME
-libpng \- Portable Network Graphics (PNG) Reference Library 1.5.10beta02
+libpng \- Portable Network Graphics (PNG) Reference Library 1.5.10beta01
 .SH SYNOPSIS
 \fI\fB
 
@@ -977,7 +977,7 @@ Following is a copy of the libpng-manual.txt file that accompanies libpng.
 .SH LIBPNG.TXT
 libpng-manual.txt - A description on how to use and modify libpng
 
- libpng version 1.5.10beta02 - February 24, 2012
+ libpng version 1.5.10beta01 - February 24, 2012
  Updated and distributed by Glenn Randers-Pehrson
  <glennrp at users.sourceforge.net>
  Copyright (c) 1998-2011 Glenn Randers-Pehrson
@@ -988,7 +988,7 @@ libpng-manual.txt - A description on how to use and modify libpng
 
  Based on:
 
- libpng versions 0.97, January 1998, through 1.5.10beta02 - February 24, 2012
+ libpng versions 0.97, January 1998, through 1.5.10beta01 - February 24, 2012
  Updated and distributed by Glenn Randers-Pehrson
  Copyright (c) 1998-2011 Glenn Randers-Pehrson
 
@@ -5239,11 +5239,10 @@ that it could be used to override them.  Now this function will reduce or
 increase the limits.
 
 Starting in libpng-1.5.10, the user limits can be set en masse with the
-configuration option PNG_SAFE_LIMITS.  If this option is enabled, then
-the limits in pnglibconf.h are ignored and a set of "safe" limits is
-applied in pngconf.h.  These can be overridden by application calls
-to png_set_user_limits(), png_set_user_chunk_cache_max(), and/or
-png_set_user_malloc_max() that increase or decrease the limits.  Also,
+configuration option PNG_SAFE_LIMITS_SUPPORTED.  If this option is enabled,
+a set of "safe" limits is applied in pngpriv.h.  These can be overridden by
+application calls to png_set_user_limits(), png_set_user_chunk_cache_max(),
+and/or png_set_user_malloc_max() that increase or decrease the limits.  Also,
 in libpng-1.5.10 the default width and height limits were increased
 from 1,000,000 to 0x7ffffff (i.e., made unlimited).  Therefore, the
 limits are now
@@ -5251,7 +5250,7 @@ limits are now
    png_user_width_max        0x7fffffff    1,000,000
    png_user_height_max       0x7fffffff    1,000,000
    png_user_chunk_cache_max  0 (unlimited)   128
-   png_user_chunk_malloc_max 0 (unlimited) 4,000,000
+   png_user_chunk_malloc_max 0 (unlimited) 8,000,000
 
 B. Changes to the build and configuration of libpng
 
@@ -5572,7 +5571,7 @@ Since the PNG Development group is an ad-hoc body, we can't make
 an official declaration.
 
 This is your unofficial assurance that libpng from version 0.71 and
-upward through 1.5.10beta02 are Y2K compliant.  It is my belief that earlier
+upward through 1.5.10beta01 are Y2K compliant.  It is my belief that earlier
 versions were also Y2K compliant.
 
 Libpng only has three year fields.  One is a 2-byte unsigned integer that
@@ -5783,7 +5782,7 @@ the first widely used release:
  1.5.9beta01-02      15    10509  15.so.15.9[.0]
  1.5.9rc01           15    10509  15.so.15.9[.0]
  1.5.9               15    10509  15.so.15.9[.0]
- 1.5.10beta01-02     15    10510  15.so.15.10[.0]
+ 1.5.10beta01        15    10510  15.so.15.10[.0]
 
 Henceforth the source version will match the shared-library minor
 and patch numbers; the shared-library major version number will be
@@ -5840,7 +5839,7 @@ possible without all of you.
 
 Thanks to Frank J. T. Wojcik for helping with the documentation.
 
-Libpng version 1.5.10beta02 - February 24, 2012:
+Libpng version 1.5.10beta01 - February 24, 2012:
 Initially created in 1995 by Guy Eric Schalnat, then of Group 42, Inc.
 Currently maintained by Glenn Randers-Pehrson (glennrp at users.sourceforge.net).
 
@@ -5863,7 +5862,7 @@ this sentence.
 
 This code is released under the libpng license.
 
-libpng versions 1.2.6, August 15, 2004, through 1.5.10beta02, February 24, 2012, are
+libpng versions 1.2.6, August 15, 2004, through 1.5.10beta01, February 24, 2012, are
 Copyright (c) 2004,2006-2007 Glenn Randers-Pehrson, and are
 distributed according to the same disclaimer and license as libpng-1.2.5
 with the following individual added to the list of Contributing Authors

pngconf.h

@@ -1,7 +1,7 @@
 
 /* pngconf.h - machine configurable file for libpng
  *
- * libpng version 1.5.10beta02 - February 24, 2012
+ * libpng version 1.5.10beta01 - February 24, 2012
  *
  * Copyright (c) 1998-2012 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
@@ -22,29 +22,6 @@
 #ifndef PNGCONF_H
 #define PNGCONF_H
 
-/* Feature added at libpng-1.5.10 */
-#ifdef PNG_SAFE_LIMITS_SUPPORTED
-#  ifdef PNG_USER_WIDTH_MAX
-#    undef PNG_USER_WIDTH_MAX
-#  endif
-#  define PNG_USER_WIDTH_MAX 1000000L
-
-#  ifdef PNG_USER_HEIGHT_MAX
-#    undef PNG_USER_HEIGHT_MAX
-#  endif
-#  define PNG_USER_HEIGHT_MAX 1000000L
-
-#  ifdef PNG_USER_CHUNK_MALLOC_MAX
-#    undef PNG_USER_CHUNK_MALLOC_MAX
-#  endif
-#  define PNG_USER_CHUNK_MALLOC_MAX 4000000L
-
-#  ifdef PNG_USER_CHUNK_CACHE_MAX
-#    undef PNG_USER_CHUNK_CACHE_MAX
-#  endif
-#  define PNG_USER_CHUNK_CACHE_MAX 128
-#endif
-
 #ifndef PNG_BUILDING_SYMBOL_TABLE
 /* PNG_NO_LIMITS_H may be used to turn off the use of the standard C
  * definition file for  machine specific limits, this may impact the

pngpriv.h

@@ -133,6 +133,46 @@
 #  define PNG_DLL_EXPORT
 #endif
 
+/* SECURITY and SAFETY:
+ *
+ * By default libpng is built without any internal limits on image size,
+ * individual heap (png_malloc) allocations or the total amount of memory used.
+ * If PNG_SAFE_LIMITS_SUPPORTED is defined, however, the limits below are used
+ * (unless individually overridden).  These limits are believed to be fairly
+ * safe, but builders of secure systems should verify the values against the
+ * real system capabilities.
+ */
+
+#ifdef PNG_SAFE_LIMITS_SUPPORTED
+   /* 'safe' limits */
+#  ifndef PNG_USER_WIDTH_MAX
+#     define PNG_USER_WIDTH_MAX 1000000
+#  endif
+#  ifndef PNG_USER_HEIGHT_MAX
+#     define PNG_USER_HEIGHT_MAX 1000000
+#  endif
+#  ifndef PNG_USER_CHUNK_CACHE_MAX
+#     define PNG_USER_CHUNK_CACHE_MAX 128
+#  endif
+#  ifndef PNG_USER_CHUNK_MALLOC_MAX
+#     define PNG_USER_CHUNK_MALLOC_MAX 8000000
+#  endif
+#else
+   /* values for no limits */
+#  ifndef PNG_USER_WIDTH_MAX
+#     define PNG_USER_WIDTH_MAX 0x7fffffff
+#  endif
+#  ifndef PNG_USER_HEIGHT_MAX
+#     define PNG_USER_HEIGHT_MAX 0x7fffffff
+#  endif
+#  ifndef PNG_USER_CHUNK_CACHE_MAX
+#     define PNG_USER_CHUNK_CACHE_MAX 0
+#  endif
+#  ifndef PNG_USER_CHUNK_MALLOC_MAX
+#     define PNG_USER_CHUNK_MALLOC_MAX 0
+#  endif
+#endif
+
 /* This is used for 16 bit gamma tables - only the top level pointers are const,
  * this could be changed:
  */

scripts/pnglibconf.dfa

@@ -27,7 +27,7 @@ file pnglibconf.h scripts/pnglibconf.dfa PNGLCONF_H
 # The syntax is detailed in scripts/options.awk, this is a summary
 # only:
 #
-# setting <name> [requires ...] [default]
+# setting <name> [default]
 #    #define PNG_<name> <value>  /* value comes from current setting */
 # option <name> [requires ...] [if ...] [enables ...] [disabled]
 #    #define PNG_<name>_SUPPORTED if the requirements are met and
@@ -260,29 +260,28 @@ option USER_LIMITS
 
 option SET_USER_LIMITS requires USER_LIMITS
 
-# Added at libpng-1.5.10
-option SAFE_LIMITS enables USER_LIMITS
-
 # Feature added at libpng-1.4.0, this flag added at 1.4.1
 option SET_USER_LIMITS enables SET_CHUNK_CACHE_LIMIT
 # Feature added at libpng-1.4.1, this flag added at 1.4.1
 
 option SET_USER_LIMITS enables SET_CHUNK_MALLOC_LIMIT
 
-# Added at libpng-1.0.16 and 1.2.6.  To accept all valid PNGs no matter
-# how large, set these two limits to 0x7fffffff
+# Libpng limits.
+#
+# If these settings are *not* set libpng will not limit the size of
+# images or the size of data in ancilliary chunks.  This does lead to
+# security issues if PNG files come from untrusted sources.
+setting USER_WIDTH_MAX
+setting USER_HEIGHT_MAX
+setting USER_CHUNK_CACHE_MAX
+setting USER_CHUNK_MALLOC_MAX
 
-setting USER_WIDTH_MAX default 0x7fffffff
-setting USER_HEIGHT_MAX default 0x7fffffff
-
-# Added at libpng-1.2.43.  To accept all valid PNGs no matter
-# how large, set these two limits to 0.
-
-setting USER_CHUNK_CACHE_MAX default 0
-
-# Added at libpng-1.2.43
-
-setting USER_CHUNK_MALLOC_MAX default 0
+# To default all these settings to values that are large but probably
+# safe turn the SAFE_LIMITS option on; this will cause the value in
+# pngpriv.h to be used.  Individual values can also be set, simply set
+# them in pngusr.dfa with '@#define PNG_setting value' lines.
+option SAFE_LIMITS enables USER_LIMITS disabled
+= SAFE_LIMITS SAFE_LIMITS
 
 # All of the following options relate to code capabilities for
 # processing image data before creating a PNG or after reading one.

scripts/pnglibconf.h.prebuilt

@@ -3,7 +3,7 @@
 
 /* pnglibconf.h - library build configuration */
 
-/* Libpng 1.5.10beta02 - February 24, 2012 */
+/* Libpng 1.5.10beta01 - February 24, 2012 */
 
 /* Copyright (c) 1998-2011 Glenn Randers-Pehrson */
 
@@ -31,10 +31,6 @@
 #define PNG_QUANTIZE_GREEN_BITS 5
 #define PNG_QUANTIZE_RED_BITS 5
 #define PNG_sCAL_PRECISION 5
-#define PNG_USER_CHUNK_CACHE_MAX 0
-#define PNG_USER_CHUNK_MALLOC_MAX 0
-#define PNG_USER_HEIGHT_MAX 0x7ffffffL
-#define PNG_USER_WIDTH_MAX 0x7ffffffL
 #define PNG_WEIGHT_SHIFT 8
 #define PNG_ZBUF_SIZE 8192
 /* end of settings */