diff --git a/ANNOUNCE b/ANNOUNCE index 9a50fd622..d51b7815e 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,5 +1,5 @@ -Libpng 1.7.0beta45 - December 23, 2014 +Libpng 1.7.0beta45 - December 24, 2014 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -672,7 +672,11 @@ Version 1.7.0beta44 [December 23, 2014] Corrected the width limit calculation in png_check_IHDR(). Removed extraneous handling of PNG_SAFE_LIMITS_SUPPORTED from pngconf.h -Version 1.7.0beta45 [December 23, 2014] +Version 1.7.0beta45 [December 24, 2014] + Eliminated the PNG_SAFE_LIMITS macro and set default limits in + pnglibconf.dfa, that can be reset by the user at build time or run time. + This provides a more robust defense against DOS and as-yet undiscovered + overflows. Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/CHANGES b/CHANGES index 823c2cfa0..b95d7f52a 100644 --- a/CHANGES +++ b/CHANGES @@ -4961,7 +4961,11 @@ Version 1.7.0beta44 [December 23, 2014] Corrected the width limit calculation in png_check_IHDR(). Removed extraneous handling of PNG_SAFE_LIMITS_SUPPORTED from pngconf.h -Version 1.7.0beta45 [December 23, 2014] +Version 1.7.0beta45 [December 24, 2014] + Eliminated the PNG_SAFE_LIMITS macro and set default limits in + pnglibconf.dfa, that can be reset by the user at build time or run time. + This provides a more robust defense against DOS and as-yet undiscovered + overflows. Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/pngpriv.h b/pngpriv.h index 8a0f68c2b..ace4e3c50 100644 --- a/pngpriv.h +++ b/pngpriv.h @@ -347,42 +347,13 @@ /* SECURITY and SAFETY: * - * By default libpng is built without any internal limits on image size, - * individual heap (png_malloc) allocations or the total amount of memory used. - * If PNG_SAFE_LIMITS_SUPPORTED is defined, however, the limits below are used - * (unless individually overridden). These limits are believed to be fairly - * safe, but builders of secure systems should verify the values against the - * real system capabilities. + * libpng is built with support for certain internal limits on both individual + * items and totals. These are documented in scripts/pnglibconf.dfa of the + * source and recorded in the machine generated header file pnglibconf.h. + * By default there are no limits, however if the macro PNG_SAFE_LIMITS is + * set when the library is built a different, system specific, lower set of + * limits will be used. */ -#ifdef PNG_SAFE_LIMITS_SUPPORTED - /* 'safe' limits */ -# ifndef PNG_USER_WIDTH_MAX -# define PNG_USER_WIDTH_MAX 1000000L -# endif -# ifndef PNG_USER_HEIGHT_MAX -# define PNG_USER_HEIGHT_MAX 1000000L -# endif -# ifndef PNG_USER_CHUNK_CACHE_MAX -# define PNG_USER_CHUNK_CACHE_MAX 128 -# endif -# ifndef PNG_USER_CHUNK_MALLOC_MAX -# define PNG_USER_CHUNK_MALLOC_MAX 8000000L -# endif -#else - /* values for no limits */ -# ifndef PNG_USER_WIDTH_MAX -# define PNG_USER_WIDTH_MAX 0x7fffffffL -# endif -# ifndef PNG_USER_HEIGHT_MAX -# define PNG_USER_HEIGHT_MAX 0x7fffffffL -# endif -# ifndef PNG_USER_CHUNK_CACHE_MAX -# define PNG_USER_CHUNK_CACHE_MAX 0 -# endif -# ifndef PNG_USER_CHUNK_MALLOC_MAX -# define PNG_USER_CHUNK_MALLOC_MAX 0 -# endif -#endif /* Moved to pngpriv.h at libpng-1.5.0 */ /* NOTE: some of these may have been used in external applications as diff --git a/pngusr.dfa b/pngusr.dfa index 9d39564b5..b9c181d45 100644 --- a/pngusr.dfa +++ b/pngusr.dfa @@ -4,11 +4,12 @@ # # Enter build configuration options in this file # -# Security settings: by default these limits are unset, you can change them -# here by entering the appropriate values as #defines preceded by '@' (to cause, -# them to be passed through to the build of pnglibconf.h), for example: +# Security settings: these limits have default values that are set in +# scripts/pnglibconf.dfa; you can change them here by entering the +# appropriate values as #defines preceded by '@' (to cause them +# to be passed through to the build of pnglibconf.h), for example: # # @# define PNG_USER_WIDTH_MAX 1000000 # @# define PNG_USER_HEIGHT_MAX 1000000 -# @# define PNG_USER_CHUNK_CACHE_MAX 128 -# @# define PNG_USER_CHUNK_MALLOC_MAX 8000000 +# @# define PNG_USER_CHUNK_CACHE_MAX 256 +# @# define PNG_USER_CHUNK_MALLOC_MAX 4000000 diff --git a/scripts/pnglibconf.dfa b/scripts/pnglibconf.dfa index 482ffd3b4..4d7e1bc2d 100644 --- a/scripts/pnglibconf.dfa +++ b/scripts/pnglibconf.dfa @@ -381,10 +381,11 @@ option IO_STATE option USER_LIMITS requires READ -# If these settings are *not* set libpng will not limit the size of -# images or the size of data in ancilliary chunks. This does lead to -# security issues if PNG files come from untrusted sources. Settings have the -# following interpretations: +# The default settings given below for the limits mean that libpng will not +# limit the size of images or the size of data in ancilliary chunks beyond the +# specification or implementation limits. This does lead to security issues if +# PNG files come from untrusted sources. Settings have the following +# interpretations: # # USER_WIDTH_MAX: maximum width of an image that will be read # USER_HEIGHT_MAX: maximum height @@ -393,17 +394,10 @@ option USER_LIMITS requires READ # # Only chunks that are variable in number are counted towards the # USER_CHUNK_CACHE_MAX limit -setting USER_WIDTH_MAX -setting USER_HEIGHT_MAX -setting USER_CHUNK_CACHE_MAX -setting USER_CHUNK_MALLOC_MAX - -# To default all these settings to values that are large but probably -# safe turn the SAFE_LIMITS option on; this will cause the value in -# pngpriv.h to be used. Individual values can also be set, simply set -# them in pngusr.dfa with '@#define PNG_setting value' lines. -option SAFE_LIMITS enables USER_LIMITS disabled -= SAFE_LIMITS SAFE_LIMITS +setting USER_WIDTH_MAX default 640000 /* PNG max is 0x7fffffff */ +setting USER_HEIGHT_MAX default 640000 /* PNG max is 0x7fffffff */ +setting USER_CHUNK_CACHE_MAX default 128 /* Use 0 for unlimited */ +setting USER_CHUNK_MALLOC_MAX default 8000000 /* Use 0 for unlimited */ # If this option is enabled APIs to set the above limits at run time are added; # without this the hardwired (compile time) limits will be used. diff --git a/scripts/pnglibconf.h.prebuilt b/scripts/pnglibconf.h.prebuilt index 13e062057..d32b6320b 100644 --- a/scripts/pnglibconf.h.prebuilt +++ b/scripts/pnglibconf.h.prebuilt @@ -2,7 +2,7 @@ /* pnglibconf.h - library build configuration */ -/* Libpng version 1.7.0beta45 - December 23, 2014 */ +/* Libpng version 1.7.0beta45 - December 24, 2014 */ /* Copyright (c) 1998-2014 Glenn Randers-Pehrson */ @@ -97,7 +97,6 @@ #define PNG_READ_tIME_SUPPORTED #define PNG_READ_tRNS_SUPPORTED #define PNG_READ_zTXt_SUPPORTED -/*#undef PNG_SAFE_LIMITS_SUPPORTED*/ #define PNG_SAVE_INT_32_SUPPORTED #define PNG_SAVE_UNKNOWN_CHUNKS_SUPPORTED #define PNG_SEQUENTIAL_READ_SUPPORTED @@ -197,10 +196,14 @@ #define PNG_QUANTIZE_RED_BITS 5 #define PNG_TEXT_Z_DEFAULT_COMPRESSION (-1) #define PNG_TEXT_Z_DEFAULT_STRATEGY 0 +#define PNG_USER_CHUNK_CACHE_MAX 128 /* Use 0 for unlimited */ +#define PNG_USER_CHUNK_MALLOC_MAX 8000000 /* Use 0 for unlimited */ +#define PNG_USER_HEIGHT_MAX 640000 /* PNG max is 0x7fffffff */ +#define PNG_USER_WIDTH_MAX 640000 /* PNG max is 0x7fffffff */ #define PNG_WEIGHT_SHIFT 8 -#define PNG_ZLIB_VERNUM 0 /* unknown */ #define PNG_ZBUF_SIZE 8192 #define PNG_ZLIB_HEADER +#define PNG_ZLIB_VERNUM 0 /* unknown */ #define PNG_Z_DEFAULT_COMPRESSION (-1) #define PNG_Z_DEFAULT_NOFILTER_STRATEGY 0 #define PNG_Z_DEFAULT_STRATEGY 1