[libpng16] Check length of IDAT against maximum possible IDAT size, accounting

for height, rowbytes, interlacing and zlib/deflate overhead.
2025-07-10 18:04:09 +02:00 · 2017-08-03 10:01:35 -05:00 · 2017-08-03 10:01:35 -05:00 · a1fe2c9848
commit a1fe2c9848
parent 6b53a5ed7b
4 changed files with 36 additions and 7 deletions
--- a/2
+++ b/2
@ -59,6 +59,8 @@ Version 1.6.32beta07 [Auguest 3, 2017]
    OSS-fuzz issue.

 Version 1.6.32beta08 [August 3, 2017]
+  Check length of IDAT against maximum possible IDAT size, accounting
+    for height, rowbytes, interlacing and zlib/deflate overhead.

 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
--- a/2
+++ b/2
@ -5942,6 +5942,8 @@ Version 1.6.32beta07 [Auguest 3, 2017]
    OSS-fuzz issue.

 Version 1.6.32beta08 [August 3, 2017]
+  Check length of IDAT against maximum possible IDAT size, accounting
+    for height, rowbytes, interlacing and zlib/deflate overhead.
  
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
--- a/pngpread.c
+++ b/pngpread.c
@ -170,6 +170,7 @@ png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr)
 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
   int keep; /* unknown handling method */
 #endif
+   png_alloc_size_t limit = PNG_UINT_31_MAX;

   /* First we make sure we have enough data for the 4-byte chunk name
    * and the 4-byte chunk length before proceeding with decoding the
@ -223,9 +224,19 @@ png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr)
         png_benign_error(png_ptr, "Too many IDATs found");
   }

+   if (chunk_name == png_IDAT)
+   {
+      size_t row_factor =
+         (png_ptr->rowbytes + 1 + (png_ptr->interlaced? 6: 0));
+      if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
+         limit=PNG_UINT_31_MAX;
+      else
+         limit = png_ptr->height * row_factor;
+      limit += 6 + 5*limit/32566; /* zlib+deflate overhead */
+      limit=limit < PNG_UINT_31_MAX? limit : PNG_UINT_31_MAX;
+   }
   else
   {
-      png_alloc_size_t limit = PNG_SIZE_MAX;
 # ifdef PNG_SET_USER_LIMITS_SUPPORTED
      if (png_ptr->user_chunk_malloc_max > 0 &&
          png_ptr->user_chunk_malloc_max < limit)
@ -234,9 +245,9 @@ png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr)
      if (PNG_USER_CHUNK_MALLOC_MAX < limit)
         limit = PNG_USER_CHUNK_MALLOC_MAX;
 # endif
+   }
   if (png_ptr->push_length > limit)
      png_chunk_error(png_ptr, "chunk data is too large");
-   }

   if (chunk_name == png_IHDR)
   {
--- a/pngrutil.c
+++ b/pngrutil.c
@ -157,6 +157,7 @@ png_read_chunk_header(png_structrp png_ptr)
 {
   png_byte buf[8];
   png_uint_32 length;
+   png_alloc_size_t limit = PNG_UINT_31_MAX;

 #ifdef PNG_IO_STATE_SUPPORTED
   png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_HDR;
@ -184,7 +185,6 @@ png_read_chunk_header(png_structrp png_ptr)
   /* Check for too-large chunk length */
   if (png_ptr->chunk_name != png_IDAT)
   {
-      png_alloc_size_t limit = PNG_SIZE_MAX;
 # ifdef PNG_SET_USER_LIMITS_SUPPORTED
      if (png_ptr->user_chunk_malloc_max > 0 &&
          png_ptr->user_chunk_malloc_max < limit)
@ -193,7 +193,21 @@ png_read_chunk_header(png_structrp png_ptr)
      if (PNG_USER_CHUNK_MALLOC_MAX < limit)
         limit = PNG_USER_CHUNK_MALLOC_MAX;
 # endif
+   }
+   else
+   {
+      size_t row_factor =
+         (png_ptr->rowbytes + 1 + (png_ptr->interlaced? 6: 0));
+      if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
+         limit=PNG_UINT_31_MAX;
+      else
+         limit = png_ptr->height * row_factor;
+      limit += 6 + 5*limit/32566; /* zlib+deflate overhead */
+      limit=limit < PNG_UINT_31_MAX? limit : PNG_UINT_31_MAX;
+   }
+
   if (length > limit)
+   {
      png_chunk_error(png_ptr, "chunk data is too large");
   }