[libpng17] Do not read invalid sBIT chunks. Previously libpng only checked sBIT

values on write, so a malicious PNG writer could therefore cause the read code to return an invalid sBIT chunk, which might lead to application errors or crashes. Such chunks are now skipped (with chunk_benign_error).
2025-07-10 18:04:09 +02:00 · 2014-02-05 12:15:42 -06:00
parent dc63b03da1
commit d29413a2a9
3 changed files with 26 additions and 3 deletions
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -1091,13 +1091,12 @@ png_handle_gAMA(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
 void /* PRIVATE */
 png_handle_sBIT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
 {
-   unsigned int truelen;
+   unsigned int truelen, i;
+   png_byte sample_depth;
   png_byte buf[4];

   png_debug(1, "in png_handle_sBIT");

-   buf[0] = buf[1] = buf[2] = buf[3] = 0;
-
   if (!(png_ptr->mode & PNG_HAVE_IHDR))
      png_chunk_error(png_ptr, "missing IHDR");

@@ -1116,10 +1115,16 @@ png_handle_sBIT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
   }

   if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+   {
      truelen = 3;
+      sample_depth = 8;
+   }

   else
+   {
      truelen = png_ptr->channels;
+      sample_depth = png_ptr->bit_depth;
+   }

   if (length != truelen || length > 4)
   {
@@ -1128,11 +1133,19 @@ png_handle_sBIT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
      return;
   }

+   buf[0] = buf[1] = buf[2] = buf[3] = sample_depth;
   png_crc_read(png_ptr, buf, truelen);

   if (png_crc_finish(png_ptr, 0))
      return;

+   for (i=0; i<truelen; ++i)
+      if (buf[i] == 0 || buf[i] > sample_depth)
+      {
+         png_chunk_benign_error(png_ptr, "invalid");
+         return;
+      }
+
   if (png_ptr->color_type & PNG_COLOR_MASK_COLOR)
   {
      png_ptr->sig_bit.red = buf[0];