[libpng17] Updated comments and manual with elimination of PNG_SAFE_LIMITS

2025-07-10 18:04:09 +02:00 · 2014-12-23 22:43:57 -06:00 · 2014-12-23 22:43:57 -06:00 · d92b0f23e6
commit d92b0f23e6
parent eeab1cfefc
4 changed files with 40 additions and 27 deletions
--- a/libpng-manual.txt
+++ b/libpng-manual.txt
@ -1,6 +1,6 @@
 libpng-manual.txt - A description on how to use and modify libpng
- libpng version 1.7.0beta45 - December 23, 2014
+ libpng version 1.7.0beta45 - December 24, 2014
 Updated and distributed by Glenn Randers-Pehrson
 <glennrp at users.sourceforge.net>
 Copyright (c) 1998-2014 Glenn Randers-Pehrson
@ -11,7 +11,7 @@ libpng-manual.txt - A description on how to use and modify libpng
 Based on:
- libpng versions 0.97, January 1998, through 1.7.0beta45 - December 23, 2014
+ libpng versions 0.97, January 1998, through 1.7.0beta45 - December 24, 2014
 Updated and distributed by Glenn Randers-Pehrson
 Copyright (c) 1998-2014 Glenn Randers-Pehrson
@ -648,7 +648,7 @@ User limits
 The PNG specification allows the width and height of an image to be as
 large as 2^31-1 (0x7fffffff), or about 2.147 billion rows and columns.
 Since very few applications really need to process such large images,
-we have imposed an arbitrary 1-million limit on rows and columns.
+we have imposed an arbitrary 640000 limit on rows and columns.
 Larger images will be rejected immediately with a png_error() call. If
 you wish to change this limit, you can use
@ -5106,6 +5106,17 @@ length, which resulted in PNG files that cannot be read beyond the bad iTXt
 chunk.  This error was fixed in libpng-1.6.3, and a tool (called
 contrib/tools/png-fix-itxt) has been added to the libpng distribution.
 Starting with libpng-1.6.17, the PNG_SAFE_LIMITS macro was eliminated
 and safe limits are used by default (users who need larger limits
 can still override them at compile time or run time, as described above).
 The new limits are
                                default
   png_user_width_max           640,000
   png_user_height_max          640,000
   png_user_chunk_cache_max         128
   png_user_chunk_malloc_max  8,000,000
 XIII.  Changes to Libpng from version 1.6.x to 1.7.x
 Some functions that were deprecated in libpng-1.6.0 were removed:
@ -5309,7 +5320,7 @@ Other rules can be inferred by inspecting the libpng source.
 XVII. Y2K Compliance in libpng
-December 23, 2014
+December 24, 2014
 Since the PNG Development group is an ad-hoc body, we can't make
 an official declaration.
--- a/libpng.3
+++ b/libpng.3
@ -1,4 +1,4 @@
-.TH LIBPNG 3 "December 23, 2014"
+.TH LIBPNG 3 "December 24, 2014"
 .SH NAME
 libpng \- Portable Network Graphics (PNG) Reference Library 1.7.0beta45
 .SH SYNOPSIS
@ -494,7 +494,7 @@ Following is a copy of the libpng-manual.txt file that accompanies libpng.
 .SH LIBPNG.TXT
 libpng-manual.txt - A description on how to use and modify libpng
- libpng version 1.7.0beta45 - December 23, 2014
+ libpng version 1.7.0beta45 - December 24, 2014
 Updated and distributed by Glenn Randers-Pehrson
 <glennrp at users.sourceforge.net>
 Copyright (c) 1998-2014 Glenn Randers-Pehrson
@ -505,7 +505,7 @@ libpng-manual.txt - A description on how to use and modify libpng
 Based on:
- libpng versions 0.97, January 1998, through 1.7.0beta45 - December 23, 2014
+ libpng versions 0.97, January 1998, through 1.7.0beta45 - December 24, 2014
 Updated and distributed by Glenn Randers-Pehrson
 Copyright (c) 1998-2014 Glenn Randers-Pehrson
@ -1142,7 +1142,7 @@ callback function:
 The PNG specification allows the width and height of an image to be as
 large as 2^(31\-1 (0x7fffffff), or about 2.147 billion rows and columns.
 Since very few applications really need to process such large images,
-we have imposed an arbitrary 1-million limit on rows and columns.
+we have imposed an arbitrary 640000 limit on rows and columns.
 Larger images will be rejected immediately with a png_error() call. If
 you wish to change this limit, you can use
@ -5600,6 +5600,17 @@ length, which resulted in PNG files that cannot be read beyond the bad iTXt
 chunk.  This error was fixed in libpng-1.6.3, and a tool (called
 contrib/tools/png-fix-itxt) has been added to the libpng distribution.
 Starting with libpng-1.6.17, the PNG_SAFE_LIMITS macro was eliminated
 and safe limits are used by default (users who need larger limits
 can still override them at compile time or run time, as described above).
 The new limits are
                                default
   png_user_width_max           640,000
   png_user_height_max          640,000
   png_user_chunk_cache_max         128
   png_user_chunk_malloc_max  8,000,000
 .SH XIII.  Changes to Libpng from version 1.6.x to 1.7.x
 Some functions that were deprecated in libpng-1.6.0 were removed:
@ -5803,7 +5814,7 @@ Other rules can be inferred by inspecting the libpng source.
 .SH XVII. Y2K Compliance in libpng
-December 23, 2014
+December 24, 2014
 Since the PNG Development group is an ad-hoc body, we can't make
 an official declaration.
@ -6073,7 +6084,7 @@ possible without all of you.
 Thanks to Frank J. T. Wojcik for helping with the documentation.
-Libpng version 1.7.0beta45 - December 23, 2014:
+Libpng version 1.7.0beta45 - December 24, 2014:
 Initially created in 1995 by Guy Eric Schalnat, then of Group 42, Inc.
 Currently maintained by Glenn Randers-Pehrson (glennrp at users.sourceforge.net).
@ -6096,7 +6107,7 @@ this sentence.
 This code is released under the libpng license.
-libpng versions 1.2.6, August 15, 2004, through 1.7.0beta45, December 23, 2014, are
+libpng versions 1.2.6, August 15, 2004, through 1.7.0beta45, December 24, 2014, are
 Copyright (c) 2004,2006-2007 Glenn Randers-Pehrson, and are
 distributed according to the same disclaimer and license as libpng-1.2.5
 with the following individual added to the list of Contributing Authors
@ -6195,7 +6206,7 @@ certification mark of the Open Source Initiative.
 Glenn Randers-Pehrson
 glennrp at users.sourceforge.net
-December 23, 2014
+December 24, 2014
 .\" end of man page
--- a/pngpriv.h
+++ b/pngpriv.h
@ -347,17 +347,9 @@
 /* SECURITY and SAFETY:
 *
- * libpng is built with support for certain internal limits on both individual
+ * libpng is built with support for internal limits on image dimensions and
- * items and totals.  These are documented in scripts/pnglibconf.dfa of the
+ * memory usage.  These are documented in scripts/pnglibconf.dfa of the
 * source and recorded in the machine generated header file pnglibconf.h.
 * By default there are no limits, however if the macro PNG_SAFE_LIMITS is
 * set when the library is built a different, system specific, lower set of
 * limits will be used.
 */
 /* Moved to pngpriv.h at libpng-1.5.0 */
 /* NOTE: some of these may have been used in external applications as
 * these definitions were exposed in pngconf.h prior to 1.5.
 */
 /* If you are running on a machine where you cannot allocate more
--- a/scripts/pnglibconf.dfa
+++ b/scripts/pnglibconf.dfa
@ -381,11 +381,10 @@ option IO_STATE
 option USER_LIMITS requires READ
-# The default settings given below for the limits mean that libpng will not
+# The default settings given below for the limits mean that libpng will
-# limit the size of images or the size of data in ancilliary chunks beyond the
+# limit the size of images or the size of data in ancilliary chunks to less
-# specification or implementation limits.  This does lead to security issues if
+# than the specification or implementation limits. Settings have the
-# PNG files come from untrusted sources.  Settings have the following
+# following interpretations:
 # interpretations:
 #
 # USER_WIDTH_MAX: maximum width of an image that will be read
 # USER_HEIGHT_MAX: maximum height