mewin/libpng
1
0
Fork 0
mirror of https://git.code.sf.net/p/libpng/code.git synced 2025-07-10 18:04:09 +02:00
Code Issues Projects Releases Wiki Activity

[libpng16] Prevent reading over-length PLTE chunk (Cosmin Truta).

Browse Source
This commit is contained in:
Glenn Randers-Pehrson 2015-10-30 07:57:49 -05:00
parent 06509be841
commit a901eb3ce6
7 changed files with 34 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ANNOUNCE
View File

@ -1,4 +1,4 @@
Libpng 1.6.19rc02 - October 29, 2015 Libpng 1.6.19rc02 - October 30, 2015
This is not intended to be a public release. It will be replaced This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version. within a few weeks by a public version or by another test version.
@ -106,8 +106,8 @@ Version 1.6.19beta04 [October 15, 2015]
Version 1.6.19rc01 [October 23, 2015] Version 1.6.19rc01 [October 23, 2015]
No changes. No changes.
Version 1.6.19rc02 [October 29, 2015] Version 1.6.19rc02 [October 30, 2015]
Prevent writing over-length PLTE chunk (Cosmin Truta). Prevent reading or writing over-length PLTE chunk (Cosmin Truta).
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

4
CHANGES
View File

@ -5391,8 +5391,8 @@ Version 1.6.19beta04 [October 15, 2015]
Version 1.6.19rc01 [October 23, 2015] Version 1.6.19rc01 [October 23, 2015]
No changes. No changes.
Version 1.6.19rc02 [October 29, 2015] Version 1.6.19rc02 [October 30, 2015]
Prevent writing over-length PLTE chunk (Cosmin Truta). Prevent reading or writing over-length PLTE chunk (Cosmin Truta).
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

11
libpng-manual.txt
View File

@ -1,6 +1,6 @@
libpng-manual.txt - A description on how to use and modify libpng libpng-manual.txt - A description on how to use and modify libpng
libpng version 1.6.19rc02 - October 29, 2015 libpng version 1.6.19rc02 - October 30, 2015
Updated and distributed by Glenn Randers-Pehrson Updated and distributed by Glenn Randers-Pehrson
<glennrp at users.sourceforge.net> <glennrp at users.sourceforge.net>
Copyright (c) 1998-2015 Glenn Randers-Pehrson Copyright (c) 1998-2015 Glenn Randers-Pehrson
@ -11,7 +11,7 @@ libpng-manual.txt - A description on how to use and modify libpng
Based on: Based on:
libpng versions 0.97, January 1998, through 1.6.19rc02 - October 29, 2015 libpng versions 0.97, January 1998, through 1.6.19rc02 - October 30, 2015
Updated and distributed by Glenn Randers-Pehrson Updated and distributed by Glenn Randers-Pehrson
Copyright (c) 1998-2015 Glenn Randers-Pehrson Copyright (c) 1998-2015 Glenn Randers-Pehrson
@ -5142,10 +5142,9 @@ It can be set for testing debug or beta builds to ensure that they will compile
when the build type is switched to RC or STABLE. In essence this overrides the when the build type is switched to RC or STABLE. In essence this overrides the
PNG_LIBPNG_BUILD_BASE_TYPE definition which is not directly user controllable. PNG_LIBPNG_BUILD_BASE_TYPE definition which is not directly user controllable.
Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk Starting with libpng-1.6.19, attempting to set an over-length PLTE chunk
is an error. Previously this requirement of the PNG specification was not is an error. Previously this requirement of the PNG specification was not
enforced. Libpng continues to accept over-length PLTE chunks when reading, enforced, and the palette was always limited to 256 entries.
but does not make any use of the extra entries.
XIII. Detecting libpng XIII. Detecting libpng
@ -5319,7 +5318,7 @@ Other rules can be inferred by inspecting the libpng source.
XVI. Y2K Compliance in libpng XVI. Y2K Compliance in libpng
October 29, 2015 October 30, 2015
Since the PNG Development group is an ad-hoc body, we can't make Since the PNG Development group is an ad-hoc body, we can't make
an official declaration. an official declaration.

19
libpng.3
View File

@ -1,4 +1,4 @@
.TH LIBPNG 3 "October 29, 2015" .TH LIBPNG 3 "October 30, 2015"
.SH NAME .SH NAME
libpng \- Portable Network Graphics (PNG) Reference Library 1.6.19rc02 libpng \- Portable Network Graphics (PNG) Reference Library 1.6.19rc02
.SH SYNOPSIS .SH SYNOPSIS
@ -508,7 +508,7 @@ Following is a copy of the libpng-manual.txt file that accompanies libpng.
.SH LIBPNG.TXT .SH LIBPNG.TXT
libpng-manual.txt - A description on how to use and modify libpng libpng-manual.txt - A description on how to use and modify libpng
libpng version 1.6.19rc02 - October 29, 2015 libpng version 1.6.19rc02 - October 30, 2015
Updated and distributed by Glenn Randers-Pehrson Updated and distributed by Glenn Randers-Pehrson
<glennrp at users.sourceforge.net> <glennrp at users.sourceforge.net>
Copyright (c) 1998-2015 Glenn Randers-Pehrson Copyright (c) 1998-2015 Glenn Randers-Pehrson
@ -519,7 +519,7 @@ libpng-manual.txt - A description on how to use and modify libpng
Based on: Based on:
libpng versions 0.97, January 1998, through 1.6.19rc02 - October 29, 2015 libpng versions 0.97, January 1998, through 1.6.19rc02 - October 30, 2015
Updated and distributed by Glenn Randers-Pehrson Updated and distributed by Glenn Randers-Pehrson
Copyright (c) 1998-2015 Glenn Randers-Pehrson Copyright (c) 1998-2015 Glenn Randers-Pehrson
@ -5650,10 +5650,9 @@ It can be set for testing debug or beta builds to ensure that they will compile
when the build type is switched to RC or STABLE. In essence this overrides the when the build type is switched to RC or STABLE. In essence this overrides the
PNG_LIBPNG_BUILD_BASE_TYPE definition which is not directly user controllable. PNG_LIBPNG_BUILD_BASE_TYPE definition which is not directly user controllable.
Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk Starting with libpng-1.6.19, attempting to set an over-length PLTE chunk
is an error. Previously this requirement of the PNG specification was not is an error. Previously this requirement of the PNG specification was not
enforced. Libpng continues to accept over-length PLTE chunks when reading, enforced, and the palette was always limited to 256 entries.
but does not make any use of the extra entries.
.SH XIII. Detecting libpng .SH XIII. Detecting libpng
@ -5827,7 +5826,7 @@ Other rules can be inferred by inspecting the libpng source.
.SH XVI. Y2K Compliance in libpng .SH XVI. Y2K Compliance in libpng
October 29, 2015 October 30, 2015
Since the PNG Development group is an ad-hoc body, we can't make Since the PNG Development group is an ad-hoc body, we can't make
an official declaration. an official declaration.
@ -6149,7 +6148,7 @@ possible without all of you.
Thanks to Frank J. T. Wojcik for helping with the documentation. Thanks to Frank J. T. Wojcik for helping with the documentation.
Libpng version 1.6.19rc02 - October 29, 2015: Libpng version 1.6.19rc02 - October 30, 2015:
Initially created in 1995 by Guy Eric Schalnat, then of Group 42, Inc. Initially created in 1995 by Guy Eric Schalnat, then of Group 42, Inc.
Currently maintained by Glenn Randers-Pehrson (glennrp at users.sourceforge.net). Currently maintained by Glenn Randers-Pehrson (glennrp at users.sourceforge.net).
@ -6172,7 +6171,7 @@ this sentence.
This code is released under the libpng license. This code is released under the libpng license.
libpng versions 1.0.7, July 1, 2000, through 1.6.19rc02, October 29, 2015, are libpng versions 1.0.7, July 1, 2000, through 1.6.19rc02, October 30, 2015, are
Copyright (c) 2000-2002, 2004, 2006-2015 Glenn Randers-Pehrson, and are Copyright (c) 2000-2002, 2004, 2006-2015 Glenn Randers-Pehrson, and are
distributed according to the same disclaimer and license as libpng-1.0.6 distributed according to the same disclaimer and license as libpng-1.0.6
with the following individuals added to the list of Contributing Authors: with the following individuals added to the list of Contributing Authors:
@ -6266,7 +6265,7 @@ the additional disclaimers inserted at version 1.0.7.
Glenn Randers-Pehrson Glenn Randers-Pehrson
glennrp at users.sourceforge.net glennrp at users.sourceforge.net
October 29, 2015 October 30, 2015
.\" end of man page .\" end of man page

3
pngrutil.c
View File

@ -1002,6 +1002,9 @@ png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
* confusing. * confusing.
* *
* Fix this by not sharing the palette in this way. * Fix this by not sharing the palette in this way.
*
* Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when
* it attempts to set a palette length that is too large for the bit depth.
*/ */
png_set_PLTE(png_ptr, info_ptr, palette, num); png_set_PLTE(png_ptr, info_ptr, palette, num);

13
pngset.c
View File

@ -1,7 +1,7 @@
/* pngset.c - storage of image information into info struct /* pngset.c - storage of image information into info struct
* *
* Last changed in libpng 1.6.18 [July 23, 2015] * Last changed in libpng 1.6.19 [(PENDING RELEASE)]
* Copyright (c) 1998-2015 Glenn Randers-Pehrson * Copyright (c) 1998-2015 Glenn Randers-Pehrson
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@ -513,12 +513,17 @@ png_set_PLTE(png_structrp png_ptr, png_inforp info_ptr,
png_const_colorp palette, int num_palette) png_const_colorp palette, int num_palette)
{ {
png_uint_32 max_palette_length;
png_debug1(1, "in %s storage function", "PLTE"); png_debug1(1, "in %s storage function", "PLTE");
if (png_ptr == NULL || info_ptr == NULL) if (png_ptr == NULL || info_ptr == NULL)
return; return;
if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH) max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
(1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
if (num_palette < 0 || num_palette > max_palette_length)
{ {
if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
png_error(png_ptr, "Invalid palette length"); png_error(png_ptr, "Invalid palette length");
@ -551,8 +556,8 @@ png_set_PLTE(png_structrp png_ptr, png_inforp info_ptr,
png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0); png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
/* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
* of num_palette entries, in case of an invalid PNG file that has * of num_palette entries, in case of an invalid PNG file or incorrect
* too-large sample values. * call to png_set_PLTE() with too-large sample values.
*/ */
png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr, png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)))); PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));

6
pngwutil.c
View File

@ -922,20 +922,20 @@ void /* PRIVATE */
png_write_PLTE(png_structrp png_ptr, png_const_colorp palette, png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
png_uint_32 num_pal) png_uint_32 num_pal)
{ {
png_uint_32 max_num_pal, i; png_uint_32 max_palette_length, i;
png_const_colorp pal_ptr; png_const_colorp pal_ptr;
png_byte buf[3]; png_byte buf[3];
png_debug(1, "in png_write_PLTE"); png_debug(1, "in png_write_PLTE");
max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
(1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
if (( if ((
#ifdef PNG_MNG_FEATURES_SUPPORTED #ifdef PNG_MNG_FEATURES_SUPPORTED
(png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 && (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 &&
#endif #endif
num_pal == 0) || num_pal > max_num_pal) num_pal == 0) || num_pal > max_palette_length)
{ {
if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
{ {