mewin/libpng
1
0
Fork 0
mirror of https://git.code.sf.net/p/libpng/code.git synced 2025-07-10 18:04:09 +02:00
Code Issues Projects Releases Wiki Activity

[libpng17] Eliminated the PNG_SAFE_LIMITS macro and set default limits in

Browse Source 
pnglibconf.dfa, that can be reset by the user at build time or run time.
This provides a more robust defense against DOS and as-yet undiscovered
overflows.
This commit is contained in:
Glenn Randers-Pehrson
2014-12-23 22:13:40 -06:00
parent 38d22ef928
commit eeab1cfefc
6 changed files with 38 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
scripts/pnglibconf.dfa
View File

@@ -381,10 +381,11 @@ option IO_STATE
option USER_LIMITS requires READ
# If these settings are *not* set libpng will not limit the size of
# images or the size of data in ancilliary chunks. This does lead to
# security issues if PNG files come from untrusted sources. Settings have the
# following interpretations:
# The default settings given below for the limits mean that libpng will not
# limit the size of images or the size of data in ancilliary chunks beyond the
# specification or implementation limits. This does lead to security issues if
# PNG files come from untrusted sources. Settings have the following
# interpretations:
#
# USER_WIDTH_MAX: maximum width of an image that will be read
# USER_HEIGHT_MAX: maximum height
@@ -393,17 +394,10 @@ option USER_LIMITS requires READ
#
# Only chunks that are variable in number are counted towards the
# USER_CHUNK_CACHE_MAX limit
setting USER_WIDTH_MAX
setting USER_HEIGHT_MAX
setting USER_CHUNK_CACHE_MAX
setting USER_CHUNK_MALLOC_MAX
# To default all these settings to values that are large but probably
# safe turn the SAFE_LIMITS option on; this will cause the value in
# pngpriv.h to be used. Individual values can also be set, simply set
# them in pngusr.dfa with '@#define PNG_setting value' lines.
option SAFE_LIMITS enables USER_LIMITS disabled
= SAFE_LIMITS SAFE_LIMITS
setting USER_WIDTH_MAX default 640000 /* PNG max is 0x7fffffff */
setting USER_HEIGHT_MAX default 640000 /* PNG max is 0x7fffffff */
setting USER_CHUNK_CACHE_MAX default 128 /* Use 0 for unlimited */
setting USER_CHUNK_MALLOC_MAX default 8000000 /* Use 0 for unlimited */
# If this option is enabled APIs to set the above limits at run time are added;
# without this the hardwired (compile time) limits will be used.