mewin/libpng
1
0
Fork 0
mirror of https://git.code.sf.net/p/libpng/code.git synced 2025-07-10 18:04:09 +02:00
Code Issues Projects Releases Wiki Activity

[libpng17] Do not read invalid sBIT chunks. Previously libpng only checked sBIT

Browse Source 
values on write, so a malicious PNG writer could therefore cause
the read code to return an invalid sBIT chunk, which might lead to
application errors or crashes.  Such chunks are now skipped (with
chunk_benign_error).
This commit is contained in:
John Bowler 2014-02-05 12:15:42 -06:00 committed by Glenn Randers-Pehrson
parent dc63b03da1
commit d29413a2a9
3 changed files with 26 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ANNOUNCE
View File

@ -515,6 +515,11 @@ Version 1.7.0beta31 [February 5, 2014]
outside the range that should be produced by the shift. Reversing the outside the range that should be produced by the shift. Reversing the
order on read makes the two transforms work together correctly and mirrors order on read makes the two transforms work together correctly and mirrors
the order used on write. the order used on write.
Do not read invalid sBIT chunks. Previously libpng only checked sBIT
values on write, so a malicious PNG writer could therefore cause
the read code to return an invalid sBIT chunk, which might lead to
application errors or crashes. Such chunks are now skipped (with
chunk_benign_error).
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

5
CHANGES
View File

@ -4804,6 +4804,11 @@ Version 1.7.0beta31 [February 5, 2014]
outside the range that should be produced by the shift. Reversing the outside the range that should be produced by the shift. Reversing the
order on read makes the two transforms work together correctly and mirrors order on read makes the two transforms work together correctly and mirrors
the order used on write. the order used on write.
Do not read invalid sBIT chunks. Previously libpng only checked sBIT
values on write, so a malicious PNG writer could therefore cause
the read code to return an invalid sBIT chunk, which might lead to
application errors or crashes. Such chunks are now skipped (with
chunk_benign_error).
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

19
pngrutil.c
View File

@ -1091,13 +1091,12 @@ png_handle_gAMA(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
void /* PRIVATE */ void /* PRIVATE */
png_handle_sBIT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) png_handle_sBIT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
{ {
unsigned int truelen; unsigned int truelen, i;
png_byte sample_depth;
png_byte buf[4]; png_byte buf[4];
png_debug(1, "in png_handle_sBIT"); png_debug(1, "in png_handle_sBIT");
buf[0] = buf[1] = buf[2] = buf[3] = 0;
if (!(png_ptr->mode & PNG_HAVE_IHDR)) if (!(png_ptr->mode & PNG_HAVE_IHDR))
png_chunk_error(png_ptr, "missing IHDR"); png_chunk_error(png_ptr, "missing IHDR");
@ -1116,10 +1115,16 @@ png_handle_sBIT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
} }
if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
{
truelen = 3; truelen = 3;
sample_depth = 8;
}
else else
{
truelen = png_ptr->channels; truelen = png_ptr->channels;
sample_depth = png_ptr->bit_depth;
}
if (length != truelen || length > 4) if (length != truelen || length > 4)
{ {
@ -1128,11 +1133,19 @@ png_handle_sBIT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
return; return;
} }
buf[0] = buf[1] = buf[2] = buf[3] = sample_depth;
png_crc_read(png_ptr, buf, truelen); png_crc_read(png_ptr, buf, truelen);
if (png_crc_finish(png_ptr, 0)) if (png_crc_finish(png_ptr, 0))
return; return;
for (i=0; i<truelen; ++i)
if (buf[i] == 0 || buf[i] > sample_depth)
{
png_chunk_benign_error(png_ptr, "invalid");
return;
}
if (png_ptr->color_type & PNG_COLOR_MASK_COLOR) if (png_ptr->color_type & PNG_COLOR_MASK_COLOR)
{ {
png_ptr->sig_bit.red = buf[0]; png_ptr->sig_bit.red = buf[0];