diff --git a/ANNOUNCE b/ANNOUNCE index 1ba93e408..16e4c9dae 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,5 +1,5 @@ -Libpng 1.5.10beta02 - February 24, 2012 +Libpng 1.5.10beta01 - February 24, 2012 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -9,20 +9,20 @@ Files available for download: Source files with LF line endings (for Unix/Linux) and with a "configure" script - 1.5.10beta02.tar.xz (LZMA-compressed, recommended) - 1.5.10beta02.tar.gz - 1.5.10beta02.tar.bz2 + 1.5.10beta01.tar.xz (LZMA-compressed, recommended) + 1.5.10beta01.tar.gz + 1.5.10beta01.tar.bz2 Source files with CRLF line endings (for Windows), without the "configure" script - lp1510b02.7z (LZMA-compressed, recommended) - lp1510b02.zip + lp1510b01.7z (LZMA-compressed, recommended) + lp1510b01.zip Other information: - 1.5.10beta02-README.txt - 1.5.10beta02-LICENSE.txt + 1.5.10beta01-README.txt + 1.5.10beta01-LICENSE.txt Changes since the last public release (1.5.9): @@ -37,13 +37,9 @@ Version 1.5.10beta01 [February 24, 2012] Fixed bug with png_handle_hIST with odd chunk length (Frank Busse). Added PNG_SAFE_LIMITS feature to pnglibconf.dfa and code in pngconf.h to reset the user limits to safe ones if PNG_SAFE_LIMITS is defined. - To enable, use PNG_COPTS=-DPNG_SAFE_LIMITS on the configure command - or put #define PNG_SAFE_LIMITS_SUPPORTED in pnglibconf.h. - -Version 1.5.10beta02 [February 24, 2012] - Revised pngconf.h to always set the "safe" limits when - PNG_SAFE_LIMITS_SUPPORTED is defined, even if pnglibconf.h has - been edited to remove the limit definitions. + To enable, use "CPPFLAGS=-DPNG_SAFE_LIMITS_SUPPORTED=" on the configure + command or put "#define PNG_SAFE_LIMITS_SUPPORTED" in pnglibconf.h. + Revised the SAFE_LIMITS feature to be the same as the feature in libpng16. Added information about the new limits in the manual. Send comments/corrections/commendations to png-mng-implement at lists.sf.net: diff --git a/CHANGES b/CHANGES index dd15809d2..98547d9a9 100644 --- a/CHANGES +++ b/CHANGES @@ -3822,13 +3822,9 @@ Version 1.5.10beta01 [February 24, 2012] Fixed bug with png_handle_hIST with odd chunk length (Frank Busse). Added PNG_SAFE_LIMITS feature to pnglibconf.dfa and code in pngconf.h to reset the user limits to safe ones if PNG_SAFE_LIMITS is defined. - To enable, use PNG_COPTS=-DPNG_SAFE_LIMITS on the configure command - or put #define PNG_SAFE_LIMITS_SUPPORTED in pnglibconf.h. - -Version 1.5.10beta02 [February 24, 2012] - Revised pngconf.h to always set the "safe" limits when - PNG_SAFE_LIMITS_SUPPORTED is defined, even if pnglibconf.h has - been edited to remove the limit definitions. + To enable, use "CPPFLAGS=-DPNG_SAFE_LIMITS_SUPPORTED=" on the configure + command or put "#define PNG_SAFE_LIMITS_SUPPORTED" in pnglibconf.h. + Revised the SAFE_LIMITS feature to be the same as the feature in libpng16. Added information about the new limits in the manual. Send comments/corrections/commendations to png-mng-implement at lists.sf.net diff --git a/Makefile.am b/Makefile.am index 822811576..46980343f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -153,11 +153,11 @@ SYMBOL_CFLAGS = -DPNGLIB_LIBNAME='PNG@PNGLIB_MAJOR@@PNGLIB_MINOR@_0'\ mv dfn3.out $@ # The .dfn file for pnglibconf.h is machine generated -pnglibconf.dfn: scripts/pnglibconf.dfa scripts/options.awk pngconf.h +pnglibconf.dfn: scripts/pnglibconf.dfa scripts/options.awk pngconf.h pngusr.dfa rm -f $@ dfn?.out $(AWK) -f ${srcdir}/scripts/options.awk out=dfn1.out version=search\ ${srcdir}/pngconf.h ${srcdir}/scripts/pnglibconf.dfa\ - $(DFA_XTRA) 1>&2 + ${srcdir}/pngusr.dfa $(DFA_XTRA) 1>&2 $(AWK) -f ${srcdir}/scripts/options.awk out=dfn2.out dfn1.out 1>&2 rm dfn1.out mv dfn2.out $@ diff --git a/libpng-manual.txt b/libpng-manual.txt index 1cd8b7424..ff02f6b28 100644 --- a/libpng-manual.txt +++ b/libpng-manual.txt @@ -1,6 +1,6 @@ libpng-manual.txt - A description on how to use and modify libpng - libpng version 1.5.10beta02 - February 24, 2012 + libpng version 1.5.10beta01 - February 24, 2012 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2011 Glenn Randers-Pehrson @@ -11,7 +11,7 @@ libpng-manual.txt - A description on how to use and modify libpng Based on: - libpng versions 0.97, January 1998, through 1.5.10beta02 - February 24, 2012 + libpng versions 0.97, January 1998, through 1.5.10beta01 - February 24, 2012 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2011 Glenn Randers-Pehrson @@ -4261,11 +4261,10 @@ that it could be used to override them. Now this function will reduce or increase the limits. Starting in libpng-1.5.10, the user limits can be set en masse with the -configuration option PNG_SAFE_LIMITS. If this option is enabled, then -the limits in pnglibconf.h are ignored and a set of "safe" limits is -applied in pngconf.h. These can be overridden by application calls -to png_set_user_limits(), png_set_user_chunk_cache_max(), and/or -png_set_user_malloc_max() that increase or decrease the limits. Also, +configuration option PNG_SAFE_LIMITS_SUPPORTED. If this option is enabled, +a set of "safe" limits is applied in pngpriv.h. These can be overridden by +application calls to png_set_user_limits(), png_set_user_chunk_cache_max(), +and/or png_set_user_malloc_max() that increase or decrease the limits. Also, in libpng-1.5.10 the default width and height limits were increased from 1,000,000 to 0x7ffffff (i.e., made unlimited). Therefore, the limits are now @@ -4273,7 +4272,7 @@ limits are now png_user_width_max 0x7fffffff 1,000,000 png_user_height_max 0x7fffffff 1,000,000 png_user_chunk_cache_max 0 (unlimited) 128 - png_user_chunk_malloc_max 0 (unlimited) 4,000,000 + png_user_chunk_malloc_max 0 (unlimited) 8,000,000 B. Changes to the build and configuration of libpng @@ -4594,7 +4593,7 @@ Since the PNG Development group is an ad-hoc body, we can't make an official declaration. This is your unofficial assurance that libpng from version 0.71 and -upward through 1.5.10beta02 are Y2K compliant. It is my belief that earlier +upward through 1.5.10beta01 are Y2K compliant. It is my belief that earlier versions were also Y2K compliant. Libpng only has three year fields. One is a 2-byte unsigned integer that diff --git a/libpng.3 b/libpng.3 index 38c3912cb..4bffa2b11 100644 --- a/libpng.3 +++ b/libpng.3 @@ -1,6 +1,6 @@ .TH LIBPNG 3 "February 24, 2012" .SH NAME -libpng \- Portable Network Graphics (PNG) Reference Library 1.5.10beta02 +libpng \- Portable Network Graphics (PNG) Reference Library 1.5.10beta01 .SH SYNOPSIS \fI\fB @@ -977,7 +977,7 @@ Following is a copy of the libpng-manual.txt file that accompanies libpng. .SH LIBPNG.TXT libpng-manual.txt - A description on how to use and modify libpng - libpng version 1.5.10beta02 - February 24, 2012 + libpng version 1.5.10beta01 - February 24, 2012 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2011 Glenn Randers-Pehrson @@ -988,7 +988,7 @@ libpng-manual.txt - A description on how to use and modify libpng Based on: - libpng versions 0.97, January 1998, through 1.5.10beta02 - February 24, 2012 + libpng versions 0.97, January 1998, through 1.5.10beta01 - February 24, 2012 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2011 Glenn Randers-Pehrson @@ -5239,11 +5239,10 @@ that it could be used to override them. Now this function will reduce or increase the limits. Starting in libpng-1.5.10, the user limits can be set en masse with the -configuration option PNG_SAFE_LIMITS. If this option is enabled, then -the limits in pnglibconf.h are ignored and a set of "safe" limits is -applied in pngconf.h. These can be overridden by application calls -to png_set_user_limits(), png_set_user_chunk_cache_max(), and/or -png_set_user_malloc_max() that increase or decrease the limits. Also, +configuration option PNG_SAFE_LIMITS_SUPPORTED. If this option is enabled, +a set of "safe" limits is applied in pngpriv.h. These can be overridden by +application calls to png_set_user_limits(), png_set_user_chunk_cache_max(), +and/or png_set_user_malloc_max() that increase or decrease the limits. Also, in libpng-1.5.10 the default width and height limits were increased from 1,000,000 to 0x7ffffff (i.e., made unlimited). Therefore, the limits are now @@ -5251,7 +5250,7 @@ limits are now png_user_width_max 0x7fffffff 1,000,000 png_user_height_max 0x7fffffff 1,000,000 png_user_chunk_cache_max 0 (unlimited) 128 - png_user_chunk_malloc_max 0 (unlimited) 4,000,000 + png_user_chunk_malloc_max 0 (unlimited) 8,000,000 B. Changes to the build and configuration of libpng @@ -5572,7 +5571,7 @@ Since the PNG Development group is an ad-hoc body, we can't make an official declaration. This is your unofficial assurance that libpng from version 0.71 and -upward through 1.5.10beta02 are Y2K compliant. It is my belief that earlier +upward through 1.5.10beta01 are Y2K compliant. It is my belief that earlier versions were also Y2K compliant. Libpng only has three year fields. One is a 2-byte unsigned integer that @@ -5783,7 +5782,7 @@ the first widely used release: 1.5.9beta01-02 15 10509 15.so.15.9[.0] 1.5.9rc01 15 10509 15.so.15.9[.0] 1.5.9 15 10509 15.so.15.9[.0] - 1.5.10beta01-02 15 10510 15.so.15.10[.0] + 1.5.10beta01 15 10510 15.so.15.10[.0] Henceforth the source version will match the shared-library minor and patch numbers; the shared-library major version number will be @@ -5840,7 +5839,7 @@ possible without all of you. Thanks to Frank J. T. Wojcik for helping with the documentation. -Libpng version 1.5.10beta02 - February 24, 2012: +Libpng version 1.5.10beta01 - February 24, 2012: Initially created in 1995 by Guy Eric Schalnat, then of Group 42, Inc. Currently maintained by Glenn Randers-Pehrson (glennrp at users.sourceforge.net). @@ -5863,7 +5862,7 @@ this sentence. This code is released under the libpng license. -libpng versions 1.2.6, August 15, 2004, through 1.5.10beta02, February 24, 2012, are +libpng versions 1.2.6, August 15, 2004, through 1.5.10beta01, February 24, 2012, are Copyright (c) 2004,2006-2007 Glenn Randers-Pehrson, and are distributed according to the same disclaimer and license as libpng-1.2.5 with the following individual added to the list of Contributing Authors diff --git a/pngconf.h b/pngconf.h index 82cd6ef15..42dcca164 100644 --- a/pngconf.h +++ b/pngconf.h @@ -1,7 +1,7 @@ /* pngconf.h - machine configurable file for libpng * - * libpng version 1.5.10beta02 - February 24, 2012 + * libpng version 1.5.10beta01 - February 24, 2012 * * Copyright (c) 1998-2012 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) @@ -22,29 +22,6 @@ #ifndef PNGCONF_H #define PNGCONF_H -/* Feature added at libpng-1.5.10 */ -#ifdef PNG_SAFE_LIMITS_SUPPORTED -# ifdef PNG_USER_WIDTH_MAX -# undef PNG_USER_WIDTH_MAX -# endif -# define PNG_USER_WIDTH_MAX 1000000L - -# ifdef PNG_USER_HEIGHT_MAX -# undef PNG_USER_HEIGHT_MAX -# endif -# define PNG_USER_HEIGHT_MAX 1000000L - -# ifdef PNG_USER_CHUNK_MALLOC_MAX -# undef PNG_USER_CHUNK_MALLOC_MAX -# endif -# define PNG_USER_CHUNK_MALLOC_MAX 4000000L - -# ifdef PNG_USER_CHUNK_CACHE_MAX -# undef PNG_USER_CHUNK_CACHE_MAX -# endif -# define PNG_USER_CHUNK_CACHE_MAX 128 -#endif - #ifndef PNG_BUILDING_SYMBOL_TABLE /* PNG_NO_LIMITS_H may be used to turn off the use of the standard C * definition file for machine specific limits, this may impact the diff --git a/pngpriv.h b/pngpriv.h index 67e486c57..52484f06a 100644 --- a/pngpriv.h +++ b/pngpriv.h @@ -133,6 +133,46 @@ # define PNG_DLL_EXPORT #endif +/* SECURITY and SAFETY: + * + * By default libpng is built without any internal limits on image size, + * individual heap (png_malloc) allocations or the total amount of memory used. + * If PNG_SAFE_LIMITS_SUPPORTED is defined, however, the limits below are used + * (unless individually overridden). These limits are believed to be fairly + * safe, but builders of secure systems should verify the values against the + * real system capabilities. + */ + +#ifdef PNG_SAFE_LIMITS_SUPPORTED + /* 'safe' limits */ +# ifndef PNG_USER_WIDTH_MAX +# define PNG_USER_WIDTH_MAX 1000000 +# endif +# ifndef PNG_USER_HEIGHT_MAX +# define PNG_USER_HEIGHT_MAX 1000000 +# endif +# ifndef PNG_USER_CHUNK_CACHE_MAX +# define PNG_USER_CHUNK_CACHE_MAX 128 +# endif +# ifndef PNG_USER_CHUNK_MALLOC_MAX +# define PNG_USER_CHUNK_MALLOC_MAX 8000000 +# endif +#else + /* values for no limits */ +# ifndef PNG_USER_WIDTH_MAX +# define PNG_USER_WIDTH_MAX 0x7fffffff +# endif +# ifndef PNG_USER_HEIGHT_MAX +# define PNG_USER_HEIGHT_MAX 0x7fffffff +# endif +# ifndef PNG_USER_CHUNK_CACHE_MAX +# define PNG_USER_CHUNK_CACHE_MAX 0 +# endif +# ifndef PNG_USER_CHUNK_MALLOC_MAX +# define PNG_USER_CHUNK_MALLOC_MAX 0 +# endif +#endif + /* This is used for 16 bit gamma tables - only the top level pointers are const, * this could be changed: */ diff --git a/scripts/pnglibconf.dfa b/scripts/pnglibconf.dfa index 862ff2042..9279326fb 100644 --- a/scripts/pnglibconf.dfa +++ b/scripts/pnglibconf.dfa @@ -27,7 +27,7 @@ file pnglibconf.h scripts/pnglibconf.dfa PNGLCONF_H # The syntax is detailed in scripts/options.awk, this is a summary # only: # -# setting [requires ...] [default] +# setting [default] # #define PNG_ /* value comes from current setting */ # option [requires ...] [if ...] [enables ...] [disabled] # #define PNG__SUPPORTED if the requirements are met and @@ -260,29 +260,28 @@ option USER_LIMITS option SET_USER_LIMITS requires USER_LIMITS -# Added at libpng-1.5.10 -option SAFE_LIMITS enables USER_LIMITS - # Feature added at libpng-1.4.0, this flag added at 1.4.1 option SET_USER_LIMITS enables SET_CHUNK_CACHE_LIMIT # Feature added at libpng-1.4.1, this flag added at 1.4.1 option SET_USER_LIMITS enables SET_CHUNK_MALLOC_LIMIT -# Added at libpng-1.0.16 and 1.2.6. To accept all valid PNGs no matter -# how large, set these two limits to 0x7fffffff +# Libpng limits. +# +# If these settings are *not* set libpng will not limit the size of +# images or the size of data in ancilliary chunks. This does lead to +# security issues if PNG files come from untrusted sources. +setting USER_WIDTH_MAX +setting USER_HEIGHT_MAX +setting USER_CHUNK_CACHE_MAX +setting USER_CHUNK_MALLOC_MAX -setting USER_WIDTH_MAX default 0x7fffffff -setting USER_HEIGHT_MAX default 0x7fffffff - -# Added at libpng-1.2.43. To accept all valid PNGs no matter -# how large, set these two limits to 0. - -setting USER_CHUNK_CACHE_MAX default 0 - -# Added at libpng-1.2.43 - -setting USER_CHUNK_MALLOC_MAX default 0 +# To default all these settings to values that are large but probably +# safe turn the SAFE_LIMITS option on; this will cause the value in +# pngpriv.h to be used. Individual values can also be set, simply set +# them in pngusr.dfa with '@#define PNG_setting value' lines. +option SAFE_LIMITS enables USER_LIMITS disabled += SAFE_LIMITS SAFE_LIMITS # All of the following options relate to code capabilities for # processing image data before creating a PNG or after reading one. diff --git a/scripts/pnglibconf.h.prebuilt b/scripts/pnglibconf.h.prebuilt index 1752ca969..15462a3b3 100644 --- a/scripts/pnglibconf.h.prebuilt +++ b/scripts/pnglibconf.h.prebuilt @@ -3,7 +3,7 @@ /* pnglibconf.h - library build configuration */ -/* Libpng 1.5.10beta02 - February 24, 2012 */ +/* Libpng 1.5.10beta01 - February 24, 2012 */ /* Copyright (c) 1998-2011 Glenn Randers-Pehrson */ @@ -31,10 +31,6 @@ #define PNG_QUANTIZE_GREEN_BITS 5 #define PNG_QUANTIZE_RED_BITS 5 #define PNG_sCAL_PRECISION 5 -#define PNG_USER_CHUNK_CACHE_MAX 0 -#define PNG_USER_CHUNK_MALLOC_MAX 0 -#define PNG_USER_HEIGHT_MAX 0x7ffffffL -#define PNG_USER_WIDTH_MAX 0x7ffffffL #define PNG_WEIGHT_SHIFT 8 #define PNG_ZBUF_SIZE 8192 /* end of settings */