[libpng17] Eliminated the PNG_SAFE_LIMITS macro and set default limits in

pnglibconf.dfa, that can be reset by the user at build time or run time.
This provides a more robust defense against DOS and as-yet undiscovered
overflows.

ANNOUNCE

@@ -1,5 +1,5 @@
 
-Libpng 1.7.0beta45 - December 23, 2014
+Libpng 1.7.0beta45 - December 24, 2014
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -672,7 +672,11 @@ Version 1.7.0beta44 [December 23, 2014]
   Corrected the width limit calculation in png_check_IHDR().
   Removed extraneous handling of PNG_SAFE_LIMITS_SUPPORTED from pngconf.h
 
-Version 1.7.0beta45 [December 23, 2014]
+Version 1.7.0beta45 [December 24, 2014]
+  Eliminated the PNG_SAFE_LIMITS macro and set default limits in
+    pnglibconf.dfa, that can be reset by the user at build time or run time.
+    This provides a more robust defense against DOS and as-yet undiscovered
+    overflows.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

CHANGES

@@ -4961,7 +4961,11 @@ Version 1.7.0beta44 [December 23, 2014]
   Corrected the width limit calculation in png_check_IHDR().
   Removed extraneous handling of PNG_SAFE_LIMITS_SUPPORTED from pngconf.h
 
-Version 1.7.0beta45 [December 23, 2014]
+Version 1.7.0beta45 [December 24, 2014]
+  Eliminated the PNG_SAFE_LIMITS macro and set default limits in
+    pnglibconf.dfa, that can be reset by the user at build time or run time.
+    This provides a more robust defense against DOS and as-yet undiscovered
+    overflows.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

pngpriv.h

@@ -347,42 +347,13 @@
 
 /* SECURITY and SAFETY:
  *
- * By default libpng is built without any internal limits on image size,
- * individual heap (png_malloc) allocations or the total amount of memory used.
- * If PNG_SAFE_LIMITS_SUPPORTED is defined, however, the limits below are used
- * (unless individually overridden).  These limits are believed to be fairly
- * safe, but builders of secure systems should verify the values against the
- * real system capabilities.
+ * libpng is built with support for certain internal limits on both individual
+ * items and totals.  These are documented in scripts/pnglibconf.dfa of the
+ * source and recorded in the machine generated header file pnglibconf.h.
+ * By default there are no limits, however if the macro PNG_SAFE_LIMITS is
+ * set when the library is built a different, system specific, lower set of
+ * limits will be used.
  */
-#ifdef PNG_SAFE_LIMITS_SUPPORTED
-   /* 'safe' limits */
-#  ifndef PNG_USER_WIDTH_MAX
-#     define PNG_USER_WIDTH_MAX 1000000L
-#  endif
-#  ifndef PNG_USER_HEIGHT_MAX
-#     define PNG_USER_HEIGHT_MAX 1000000L
-#  endif
-#  ifndef PNG_USER_CHUNK_CACHE_MAX
-#     define PNG_USER_CHUNK_CACHE_MAX 128
-#  endif
-#  ifndef PNG_USER_CHUNK_MALLOC_MAX
-#     define PNG_USER_CHUNK_MALLOC_MAX 8000000L
-#  endif
-#else
-   /* values for no limits */
-#  ifndef PNG_USER_WIDTH_MAX
-#     define PNG_USER_WIDTH_MAX 0x7fffffffL
-#  endif
-#  ifndef PNG_USER_HEIGHT_MAX
-#     define PNG_USER_HEIGHT_MAX 0x7fffffffL
-#  endif
-#  ifndef PNG_USER_CHUNK_CACHE_MAX
-#     define PNG_USER_CHUNK_CACHE_MAX 0
-#  endif
-#  ifndef PNG_USER_CHUNK_MALLOC_MAX
-#     define PNG_USER_CHUNK_MALLOC_MAX 0
-#  endif
-#endif
 
 /* Moved to pngpriv.h at libpng-1.5.0 */
 /* NOTE: some of these may have been used in external applications as

pngusr.dfa

@@ -4,11 +4,12 @@
 #
 # Enter build configuration options in this file
 #
-# Security settings: by default these limits are unset, you can change them
-# here by entering the appropriate values as #defines preceded by '@' (to cause,
-# them to be passed through to the build of pnglibconf.h), for example:
+# Security settings: these limits have default values that are set in
+# scripts/pnglibconf.dfa; you can change them here by entering the
+# appropriate values as #defines preceded by '@' (to cause them
+# to be passed through to the build of pnglibconf.h), for example:
 #
 # @# define PNG_USER_WIDTH_MAX 1000000
 # @# define PNG_USER_HEIGHT_MAX 1000000
-# @# define PNG_USER_CHUNK_CACHE_MAX 128
-# @# define PNG_USER_CHUNK_MALLOC_MAX 8000000
+# @# define PNG_USER_CHUNK_CACHE_MAX 256
+# @# define PNG_USER_CHUNK_MALLOC_MAX 4000000

scripts/pnglibconf.dfa

@@ -381,10 +381,11 @@ option IO_STATE
 
 option USER_LIMITS requires READ
 
-# If these settings are *not* set libpng will not limit the size of
-# images or the size of data in ancilliary chunks.  This does lead to
-# security issues if PNG files come from untrusted sources.  Settings have the
-# following interpretations:
+# The default settings given below for the limits mean that libpng will not
+# limit the size of images or the size of data in ancilliary chunks beyond the
+# specification or implementation limits.  This does lead to security issues if
+# PNG files come from untrusted sources.  Settings have the following
+# interpretations:
 #
 # USER_WIDTH_MAX: maximum width of an image that will be read
 # USER_HEIGHT_MAX: maximum height
@@ -393,17 +394,10 @@ option USER_LIMITS requires READ
 #
 # Only chunks that are variable in number are counted towards the
 # USER_CHUNK_CACHE_MAX limit
-setting USER_WIDTH_MAX
-setting USER_HEIGHT_MAX
-setting USER_CHUNK_CACHE_MAX
-setting USER_CHUNK_MALLOC_MAX
-
-# To default all these settings to values that are large but probably
-# safe turn the SAFE_LIMITS option on; this will cause the value in
-# pngpriv.h to be used.  Individual values can also be set, simply set
-# them in pngusr.dfa with '@#define PNG_setting value' lines.
-option SAFE_LIMITS enables USER_LIMITS disabled
-= SAFE_LIMITS SAFE_LIMITS
+setting USER_WIDTH_MAX default         640000 /* PNG max is 0x7fffffff */
+setting USER_HEIGHT_MAX default        640000 /* PNG max is 0x7fffffff */
+setting USER_CHUNK_CACHE_MAX default      128 /* Use 0 for unlimited */
+setting USER_CHUNK_MALLOC_MAX default 8000000 /* Use 0 for unlimited */
 
 # If this option is enabled APIs to set the above limits at run time are added;
 # without this the hardwired (compile time) limits will be used.

scripts/pnglibconf.h.prebuilt

@@ -2,7 +2,7 @@
 
 /* pnglibconf.h - library build configuration */
 
-/* Libpng version 1.7.0beta45 - December 23, 2014 */
+/* Libpng version 1.7.0beta45 - December 24, 2014 */
 
 /* Copyright (c) 1998-2014 Glenn Randers-Pehrson */
 
@@ -97,7 +97,6 @@
 #define PNG_READ_tIME_SUPPORTED
 #define PNG_READ_tRNS_SUPPORTED
 #define PNG_READ_zTXt_SUPPORTED
-/*#undef PNG_SAFE_LIMITS_SUPPORTED*/
 #define PNG_SAVE_INT_32_SUPPORTED
 #define PNG_SAVE_UNKNOWN_CHUNKS_SUPPORTED
 #define PNG_SEQUENTIAL_READ_SUPPORTED
@@ -197,10 +196,14 @@
 #define PNG_QUANTIZE_RED_BITS 5
 #define PNG_TEXT_Z_DEFAULT_COMPRESSION (-1)
 #define PNG_TEXT_Z_DEFAULT_STRATEGY 0
+#define PNG_USER_CHUNK_CACHE_MAX 128 /* Use 0 for unlimited */
+#define PNG_USER_CHUNK_MALLOC_MAX 8000000 /* Use 0 for unlimited */
+#define PNG_USER_HEIGHT_MAX 640000 /* PNG max is 0x7fffffff */
+#define PNG_USER_WIDTH_MAX 640000 /* PNG max is 0x7fffffff */
 #define PNG_WEIGHT_SHIFT 8
-#define PNG_ZLIB_VERNUM 0 /* unknown */
 #define PNG_ZBUF_SIZE 8192
 #define PNG_ZLIB_HEADER <zlib.h>
+#define PNG_ZLIB_VERNUM 0 /* unknown */
 #define PNG_Z_DEFAULT_COMPRESSION (-1)
 #define PNG_Z_DEFAULT_NOFILTER_STRATEGY 0
 #define PNG_Z_DEFAULT_STRATEGY 1