[libpng15] Revise pngrutil.c with a more generous size limit for IDAT chunks.

2025-07-10 18:04:09 +02:00 · 2017-09-03 09:06:48 -05:00 · 2017-09-03 09:06:48 -05:00 · 9a414e2c8f
commit 9a414e2c8f
parent 99a7952dab
2 changed files with 20 additions and 15 deletions
--- a/7
+++ b/7
@ -4540,6 +4540,7 @@ version 1.5.29beta01 [April 1, 2017]
  Update Sourceforge URLs in documentation (https instead of http).

 version 1.5.29beta02 [August 9, 2017]
+  Added png_check_chunk_length() function (Fixes CVE-2017-12652).
  Moved chunk-name and chunk-length checks into PNG_EXTERN private
    png_check_chunk_name() and png_check_chunk_length() functions
    (Suggested by Max Stepin).
@ -4550,7 +4551,7 @@ version 1.5.29beta02 [August 9, 2017]
 version 1.5.29rc01 [August 19, 2017]
  No changes.
 
-version 1.5.29 [August 28, 2017]
+version 1.5.29 [September 3, 2017]
  No changes.

 Version 1.5.30beta01 [August 28, 2017]
@ -4559,6 +4560,10 @@ Version 1.5.30beta01 [August 28, 2017]
  Fixed off-by-one error in png_do_check_palette_indexes() (Bug report
    by Mick P., Source Forge Issue #269).

+Version 1.5.30beta02 [September 3, 2017]
+  Compute a larger limit on IDAT because some applications write a deflate
+    buffer for each row (Bug report by Andrew Church).
+
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement
--- a/pngrutil.c
+++ b/pngrutil.c
@ -1,7 +1,7 @@

 /* pngrutil.c - utilities to read a PNG file
 *
- * Last changed in libpng 1.5.29 [August 24, 2017]
+ * Last changed in libpng 1.5.30 [(PENDING RELEASE)]
 * Copyright (c) 1998-2002,2004,2006-2015,2017 Glenn Randers-Pehrson
 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@ -2826,28 +2826,28 @@ png_check_chunk_length(png_structp png_ptr, png_uint_32 length)
 {
   png_uint_32 limit = PNG_UINT_31_MAX;

-   if (png_ptr->chunk_name != png_IDAT)
-   {
 # ifdef PNG_SET_USER_LIMITS_SUPPORTED
-      if (png_ptr->user_chunk_malloc_max > 0 &&
-          png_ptr->user_chunk_malloc_max < limit)
-         limit = png_ptr->user_chunk_malloc_max;
+   if (png_ptr->user_chunk_malloc_max > 0 &&
+       png_ptr->user_chunk_malloc_max < limit)
+      limit = png_ptr->user_chunk_malloc_max;
 # elif PNG_USER_CHUNK_MALLOC_MAX > 0
-      if (PNG_USER_CHUNK_MALLOC_MAX < limit)
-         limit = PNG_USER_CHUNK_MALLOC_MAX;
+   if (PNG_USER_CHUNK_MALLOC_MAX < limit)
+      limit = PNG_USER_CHUNK_MALLOC_MAX;
 # endif
-   }
-   else
+   if (png_ptr->chunk_name == png_IDAT)
   {
+      png_alloc_size_t idat_limit = PNG_UINT_31_MAX;
      size_t row_factor =
         (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
          + 1 + (png_ptr->interlaced? 6: 0));
      if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
-         limit=PNG_UINT_31_MAX;
+         idat_limit=PNG_UINT_31_MAX;
      else
-         limit = png_ptr->height * row_factor;
-      limit += 6 + 5*(limit/32566+1); /* zlib+deflate overhead */
-      limit=limit < PNG_UINT_31_MAX? limit : PNG_UINT_31_MAX;
+         idat_limit = png_ptr->height * row_factor;
+      row_factor = row_factor > 32566? 32566 : row_factor;
+      idat_limit += 6 + 5*(idat_limit/row_factor+1); /* zlib+deflate overhead */
+      idat_limit=idat_limit < PNG_UINT_31_MAX? idat_limit : PNG_UINT_31_MAX;
+      limit = limit < idat_limit? idat_limit : limit;
   }

   if (length > limit)