mirror of
https://git.code.sf.net/p/libpng/code.git
synced 2025-07-10 18:04:09 +02:00
[libpng17] Do not read invalid sBIT chunks. Previously libpng only checked sBIT
values on write, so a malicious PNG writer could therefore cause the read code to return an invalid sBIT chunk, which might lead to application errors or crashes. Such chunks are now skipped (with chunk_benign_error).
This commit is contained in:
committed by
Glenn Randers-Pehrson
parent
dc63b03da1
commit
d29413a2a9
19
pngrutil.c
19
pngrutil.c
@@ -1091,13 +1091,12 @@ png_handle_gAMA(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
|
||||
void /* PRIVATE */
|
||||
png_handle_sBIT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
|
||||
{
|
||||
unsigned int truelen;
|
||||
unsigned int truelen, i;
|
||||
png_byte sample_depth;
|
||||
png_byte buf[4];
|
||||
|
||||
png_debug(1, "in png_handle_sBIT");
|
||||
|
||||
buf[0] = buf[1] = buf[2] = buf[3] = 0;
|
||||
|
||||
if (!(png_ptr->mode & PNG_HAVE_IHDR))
|
||||
png_chunk_error(png_ptr, "missing IHDR");
|
||||
|
||||
@@ -1116,10 +1115,16 @@ png_handle_sBIT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
|
||||
}
|
||||
|
||||
if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
|
||||
{
|
||||
truelen = 3;
|
||||
sample_depth = 8;
|
||||
}
|
||||
|
||||
else
|
||||
{
|
||||
truelen = png_ptr->channels;
|
||||
sample_depth = png_ptr->bit_depth;
|
||||
}
|
||||
|
||||
if (length != truelen || length > 4)
|
||||
{
|
||||
@@ -1128,11 +1133,19 @@ png_handle_sBIT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
|
||||
return;
|
||||
}
|
||||
|
||||
buf[0] = buf[1] = buf[2] = buf[3] = sample_depth;
|
||||
png_crc_read(png_ptr, buf, truelen);
|
||||
|
||||
if (png_crc_finish(png_ptr, 0))
|
||||
return;
|
||||
|
||||
for (i=0; i<truelen; ++i)
|
||||
if (buf[i] == 0 || buf[i] > sample_depth)
|
||||
{
|
||||
png_chunk_benign_error(png_ptr, "invalid");
|
||||
return;
|
||||
}
|
||||
|
||||
if (png_ptr->color_type & PNG_COLOR_MASK_COLOR)
|
||||
{
|
||||
png_ptr->sig_bit.red = buf[0];
|
||||
|
||||
Reference in New Issue
Block a user