[libpng17] Updated comments and manual with elimination of PNG_SAFE_LIMITS

2025-07-10 18:04:09 +02:00 · 2014-12-23 22:43:57 -06:00 · 2014-12-23 22:43:57 -06:00 · d92b0f23e6
commit d92b0f23e6
parent eeab1cfefc
4 changed files with 40 additions and 27 deletions
--- a/libpng-manual.txt
+++ b/libpng-manual.txt
@ -1,6 +1,6 @@
 libpng-manual.txt - A description on how to use and modify libpng

- libpng version 1.7.0beta45 - December 23, 2014
+ libpng version 1.7.0beta45 - December 24, 2014
 Updated and distributed by Glenn Randers-Pehrson
 <glennrp at users.sourceforge.net>
 Copyright (c) 1998-2014 Glenn Randers-Pehrson
@ -11,7 +11,7 @@ libpng-manual.txt - A description on how to use and modify libpng

 Based on:

- libpng versions 0.97, January 1998, through 1.7.0beta45 - December 23, 2014
+ libpng versions 0.97, January 1998, through 1.7.0beta45 - December 24, 2014
 Updated and distributed by Glenn Randers-Pehrson
 Copyright (c) 1998-2014 Glenn Randers-Pehrson

@ -648,7 +648,7 @@ User limits
 The PNG specification allows the width and height of an image to be as
 large as 2^31-1 (0x7fffffff), or about 2.147 billion rows and columns.
 Since very few applications really need to process such large images,
-we have imposed an arbitrary 1-million limit on rows and columns.
+we have imposed an arbitrary 640000 limit on rows and columns.
 Larger images will be rejected immediately with a png_error() call. If
 you wish to change this limit, you can use

@ -5106,6 +5106,17 @@ length, which resulted in PNG files that cannot be read beyond the bad iTXt
 chunk.  This error was fixed in libpng-1.6.3, and a tool (called
 contrib/tools/png-fix-itxt) has been added to the libpng distribution.

+Starting with libpng-1.6.17, the PNG_SAFE_LIMITS macro was eliminated
+and safe limits are used by default (users who need larger limits
+can still override them at compile time or run time, as described above).
+
+The new limits are
+                                default
+   png_user_width_max           640,000
+   png_user_height_max          640,000
+   png_user_chunk_cache_max         128
+   png_user_chunk_malloc_max  8,000,000
+
 XIII.  Changes to Libpng from version 1.6.x to 1.7.x

 Some functions that were deprecated in libpng-1.6.0 were removed:
@ -5309,7 +5320,7 @@ Other rules can be inferred by inspecting the libpng source.

 XVII. Y2K Compliance in libpng

-December 23, 2014
+December 24, 2014

 Since the PNG Development group is an ad-hoc body, we can't make
 an official declaration.
--- a/libpng.3
+++ b/libpng.3
@ -1,4 +1,4 @@
-.TH LIBPNG 3 "December 23, 2014"
+.TH LIBPNG 3 "December 24, 2014"
 .SH NAME
 libpng \- Portable Network Graphics (PNG) Reference Library 1.7.0beta45
 .SH SYNOPSIS
@ -494,7 +494,7 @@ Following is a copy of the libpng-manual.txt file that accompanies libpng.
 .SH LIBPNG.TXT
 libpng-manual.txt - A description on how to use and modify libpng

- libpng version 1.7.0beta45 - December 23, 2014
+ libpng version 1.7.0beta45 - December 24, 2014
 Updated and distributed by Glenn Randers-Pehrson
 <glennrp at users.sourceforge.net>
 Copyright (c) 1998-2014 Glenn Randers-Pehrson
@ -505,7 +505,7 @@ libpng-manual.txt - A description on how to use and modify libpng

 Based on:

- libpng versions 0.97, January 1998, through 1.7.0beta45 - December 23, 2014
+ libpng versions 0.97, January 1998, through 1.7.0beta45 - December 24, 2014
 Updated and distributed by Glenn Randers-Pehrson
 Copyright (c) 1998-2014 Glenn Randers-Pehrson

@ -1142,7 +1142,7 @@ callback function:
 The PNG specification allows the width and height of an image to be as
 large as 2^(31\-1 (0x7fffffff), or about 2.147 billion rows and columns.
 Since very few applications really need to process such large images,
-we have imposed an arbitrary 1-million limit on rows and columns.
+we have imposed an arbitrary 640000 limit on rows and columns.
 Larger images will be rejected immediately with a png_error() call. If
 you wish to change this limit, you can use

@ -5600,6 +5600,17 @@ length, which resulted in PNG files that cannot be read beyond the bad iTXt
 chunk.  This error was fixed in libpng-1.6.3, and a tool (called
 contrib/tools/png-fix-itxt) has been added to the libpng distribution.

+Starting with libpng-1.6.17, the PNG_SAFE_LIMITS macro was eliminated
+and safe limits are used by default (users who need larger limits
+can still override them at compile time or run time, as described above).
+
+The new limits are
+                                default
+   png_user_width_max           640,000
+   png_user_height_max          640,000
+   png_user_chunk_cache_max         128
+   png_user_chunk_malloc_max  8,000,000
+
 .SH XIII.  Changes to Libpng from version 1.6.x to 1.7.x

 Some functions that were deprecated in libpng-1.6.0 were removed:
@ -5803,7 +5814,7 @@ Other rules can be inferred by inspecting the libpng source.

 .SH XVII. Y2K Compliance in libpng

-December 23, 2014
+December 24, 2014

 Since the PNG Development group is an ad-hoc body, we can't make
 an official declaration.
@ -6073,7 +6084,7 @@ possible without all of you.

 Thanks to Frank J. T. Wojcik for helping with the documentation.

-Libpng version 1.7.0beta45 - December 23, 2014:
+Libpng version 1.7.0beta45 - December 24, 2014:
 Initially created in 1995 by Guy Eric Schalnat, then of Group 42, Inc.
 Currently maintained by Glenn Randers-Pehrson (glennrp at users.sourceforge.net).

@ -6096,7 +6107,7 @@ this sentence.

 This code is released under the libpng license.

-libpng versions 1.2.6, August 15, 2004, through 1.7.0beta45, December 23, 2014, are
+libpng versions 1.2.6, August 15, 2004, through 1.7.0beta45, December 24, 2014, are
 Copyright (c) 2004,2006-2007 Glenn Randers-Pehrson, and are
 distributed according to the same disclaimer and license as libpng-1.2.5
 with the following individual added to the list of Contributing Authors
@ -6195,7 +6206,7 @@ certification mark of the Open Source Initiative.

 Glenn Randers-Pehrson
 glennrp at users.sourceforge.net
-December 23, 2014
+December 24, 2014

 .\" end of man page

--- a/pngpriv.h
+++ b/pngpriv.h
@ -347,17 +347,9 @@

 /* SECURITY and SAFETY:
 *
- * libpng is built with support for certain internal limits on both individual
- * items and totals.  These are documented in scripts/pnglibconf.dfa of the
+ * libpng is built with support for internal limits on image dimensions and
+ * memory usage.  These are documented in scripts/pnglibconf.dfa of the
 * source and recorded in the machine generated header file pnglibconf.h.
- * By default there are no limits, however if the macro PNG_SAFE_LIMITS is
- * set when the library is built a different, system specific, lower set of
- * limits will be used.
- */
-
-/* Moved to pngpriv.h at libpng-1.5.0 */
-/* NOTE: some of these may have been used in external applications as
- * these definitions were exposed in pngconf.h prior to 1.5.
 */

 /* If you are running on a machine where you cannot allocate more
--- a/scripts/pnglibconf.dfa
+++ b/scripts/pnglibconf.dfa
@ -381,11 +381,10 @@ option IO_STATE

 option USER_LIMITS requires READ

-# The default settings given below for the limits mean that libpng will not
-# limit the size of images or the size of data in ancilliary chunks beyond the
-# specification or implementation limits.  This does lead to security issues if
-# PNG files come from untrusted sources.  Settings have the following
-# interpretations:
+# The default settings given below for the limits mean that libpng will
+# limit the size of images or the size of data in ancilliary chunks to less
+# than the specification or implementation limits. Settings have the
+# following interpretations:
 #
 # USER_WIDTH_MAX: maximum width of an image that will be read
 # USER_HEIGHT_MAX: maximum height