[libpng17] Prevent setting or writing over-length PLTE chunk (Cosmin Truta).

Silently truncate over-length PLTE chunk while reading.
2025-07-10 18:04:09 +02:00 · 2015-11-01 13:01:56 -06:00
parent 5b05197604
commit 9f7d5aa973
5 changed files with 42 additions and 17 deletions
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -849,7 +849,7 @@ png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr)
 {
   png_color palette[PNG_MAX_PALETTE_LENGTH];
   png_uint_32 length = png_ptr->chunk_length;
-   int num, i;
+   int max_palette_length, num, i;
   png_colorp pal_ptr;

   png_debug(1, "in png_handle_PLTE");
@@ -868,6 +868,10 @@ png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr)
   }
 #endif

+   max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+      (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+
+
   if (length > 3*PNG_MAX_PALETTE_LENGTH || length % 3)
   {
      png_crc_finish(png_ptr, length);
@@ -878,7 +882,15 @@ png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr)
   }

   /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
-   num = (int)/*SAFE*/length / 3;
+   num = (int)length / 3;
+
+   /* If the palette has 256 or fewer entries but is too large for the bit
+    * depth, we don't issue an error, to preserve the behavior of previous
+    * libpng versions. We silently truncate the unused extra palette entries
+    * here.
+    */
+   if (num > max_palette_length)
+     num = max_palette_length;

   for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
   {