From 8ae616fa97d26f57cc166cfb7ae6a295e11bb052 Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Thu, 23 Feb 2012 17:43:33 -0600 Subject: [PATCH] [libpng15] Added PNG_SAFE_LIMITS feature to pnglibconf.dfa and code in pngconf.h to reset the user limits to safe ones if PNG_SAFE_LIMITS is defined. --- ANNOUNCE | 6 ++++-- CHANGES | 11 +++++++---- pngconf.h | 22 +++++++++++++++++++++- scripts/pnglibconf.dfa | 7 +++++-- scripts/pnglibconf.h.prebuilt | 2 +- 5 files changed, 38 insertions(+), 10 deletions(-) diff --git a/ANNOUNCE b/ANNOUNCE index 551aa275c..05d40a2f4 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,5 +1,5 @@ -Libpng 1.5.10beta01 - February 21, 2012 +Libpng 1.5.10beta01 - February 23, 2012 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -26,7 +26,7 @@ Other information: Changes since the last public release (1.5.9): -Version 1.5.10beta01 [February 21, 2012] +Version 1.5.10beta01 [February 23, 2012] Removed two useless #ifdef directives from pngread.c and one from pngrutil.c Always put the CMAKE_LIBRARY in "lib" (removed special WIN32 case). Removed empty vstudio/pngstest directory (Clifford Yapp). @@ -35,6 +35,8 @@ Version 1.5.10beta01 [February 21, 2012] now that png_ptr->buffer is inaccessible to applications, the special handling is no longer useful. Fixed bug with png_handle_hIST with odd chunk length (Frank Busse). + Added PNG_SAFE_LIMITS feature to pnglibconf.dfa and code in pngconf.h + to reset the user limits to safe ones if PNG_SAFE_LIMITS is defined. Send comments/corrections/commendations to png-mng-implement at lists.sf.net: (subscription required; visit diff --git a/CHANGES b/CHANGES index 4058701e3..0b764c89e 100644 --- a/CHANGES +++ b/CHANGES @@ -3803,14 +3803,15 @@ Version 1.5.9beta02 [February 16, 2012] Removed tests for no-longer-used *_EMPTY_PLTE_SUPPORTED from pngstruct.h Version 1.5.9rc01 [February 17, 2012] - Fixed CVE-2011-3026 buffer overrun bug. Deal more correctly with the test - on iCCP chunk length. Also removed spurious casts that may hide problems - on 16-bit systems. + Fixed CVE-2011-3026 buffer overrun bug. This bug was introduced when + iCCP chunk support was added at libpng-1.0.6. Deal more correctly with the + test on iCCP chunk length. Also removed spurious casts that may hide + problems on 16-bit systems. Version 1.5.9 [February 18, 2012] No changes. -Version 1.5.10beta01 [February 21, 2012] +Version 1.5.10beta01 [February 23, 2012] Removed two useless #ifdef directives from pngread.c and one from pngrutil.c Always put the CMAKE_LIBRARY in "lib" (removed special WIN32 case). Removed empty vstudio/pngstest directory (Clifford Yapp). @@ -3819,6 +3820,8 @@ Version 1.5.10beta01 [February 21, 2012] now that png_ptr->buffer is inaccessible to applications, the special handling is no longer useful. Fixed bug with png_handle_hIST with odd chunk length (Frank Busse). + Added PNG_SAFE_LIMITS feature to pnglibconf.dfa and code in pngconf.h + to reset the user limits to safe ones if PNG_SAFE_LIMITS is defined. Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/pngconf.h b/pngconf.h index 70c9b84e7..dde840c50 100644 --- a/pngconf.h +++ b/pngconf.h @@ -1,7 +1,7 @@ /* pngconf.h - machine configurable file for libpng * - * libpng version 1.5.10beta01 - February 19, 2012 + * libpng version 1.5.10beta01 - February 23, 2012 * * Copyright (c) 1998-2012 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) @@ -22,6 +22,26 @@ #ifndef PNGCONF_H #define PNGCONF_H +/* Feature added at libpng-1.5.10 */ +#ifdef PNG_SAFE_LIMITS_SUPPORTED +# ifdef PNG_USER_WIDTH_MAX +# undef PNG_USER_WIDTH_MAX +# define PNG_USER_WIDTH_MAX 1000000L +# endif +# ifdef PNG_USER_HEIGHT_MAX +# undef PNG_USER_HEIGHT_MAX +# define PNG_USER_HEIGHT_MAX 1000000L +# endif +# ifdef PNG_USER_CHUNK_MALLOC_MAX +# undef PNG_USER_CHUNK_MALLOC_MAX +# define PNG_USER_CHUNK_MALLOC_MAX 4000000L +# endif +# ifdef PNG_USER_CHUNK_CACHE_MAX +# undef PNG_USER_CHUNK_CACHE_MAX +# define PNG_USER_CHUNK_CACHE_MAX 128 +# endif +#endif + #ifndef PNG_BUILDING_SYMBOL_TABLE /* PNG_NO_LIMITS_H may be used to turn off the use of the standard C * definition file for machine specific limits, this may impact the diff --git a/scripts/pnglibconf.dfa b/scripts/pnglibconf.dfa index a740d6827..3e146684a 100644 --- a/scripts/pnglibconf.dfa +++ b/scripts/pnglibconf.dfa @@ -260,6 +260,9 @@ option USER_LIMITS option SET_USER_LIMITS requires USER_LIMITS +# Added at libpng-1.5.10 +option SAFE_LIMITS requires USER_LIMITS + # Feature added at libpng-1.4.0, this flag added at 1.4.1 option SET_USER_LIMITS enables SET_CHUNK_CACHE_LIMIT # Feature added at libpng-1.4.1, this flag added at 1.4.1 @@ -269,8 +272,8 @@ option SET_USER_LIMITS enables SET_CHUNK_MALLOC_LIMIT # Added at libpng-1.0.16 and 1.2.6. To accept all valid PNGs no matter # how large, set these two limits to 0x7fffffff -setting USER_WIDTH_MAX default 1000000 -setting USER_HEIGHT_MAX default 1000000 +setting USER_WIDTH_MAX default 0x7fffffff +setting USER_HEIGHT_MAX default 0x7fffffff # Added at libpng-1.2.43. To accept all valid PNGs no matter # how large, set these two limits to 0. diff --git a/scripts/pnglibconf.h.prebuilt b/scripts/pnglibconf.h.prebuilt index a46d433d3..5e97d44d3 100644 --- a/scripts/pnglibconf.h.prebuilt +++ b/scripts/pnglibconf.h.prebuilt @@ -3,7 +3,7 @@ /* pnglibconf.h - library build configuration */ -/* Libpng 1.5.10beta01 - February 19, 2012 */ +/* Libpng 1.5.10beta01 - February 23, 2012 */ /* Copyright (c) 1998-2011 Glenn Randers-Pehrson */