mewin/libpng
1
0
Fork 0
mirror of https://git.code.sf.net/p/libpng/code.git synced 2025-07-10 18:04:09 +02:00
Code Issues Projects Releases Wiki Activity

[libpng16] pngfix zero-length IDAT fix

Browse Source 
When an input file contains a zero length IDAT and pngfix is not applying the
IDAT rechunking (--max) option pngfix will go into a loop writing the zero
length IDAT for ever.

This is a fairly minor issue for interactive use; zero length IDAT is very rare,
the problem is obvious (pngfix hangs) and the fix (use --max, or --max=4096
etc), while not obvious, is easy.

For non-interactive use, e.g. trying to automatically repair a PNG that cannot
be read by libpng, there are security consequences:

1) pngfix hangs.  This may permit a DoS attack.
2) When the --out option is used pngfix will just keep writing.  This is a very
likely DoS scenario.

Signed-off-by: John Bowler <jbowler@acm.org>
This commit is contained in:
John Bowler 2016-09-01 07:22:40 -07:00
parent 39df0ced18
commit f0b453bc3e
1 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
contrib/tools/pngfix.c
View File

@ -1824,7 +1824,7 @@ IDAT_init(struct IDAT * const idat, struct file * const file)
}
static png_uint_32
rechunk_length(struct IDAT *idat)
rechunk_length(struct IDAT *idat, int start)
/* Return the length for the next IDAT chunk, taking into account
* rechunking.
*/
@ -1836,7 +1836,7 @@ rechunk_length(struct IDAT *idat)
const struct IDAT_list *cur;
unsigned int count;
if (idat->idat_index == 0) /* at the new chunk (first time) */
if (start)
return idat->idat_length; /* use the cache */
/* Otherwise rechunk_length is called at the end of a chunk for the length
@ -1995,7 +1995,7 @@ process_IDAT(struct file *file)
idat->idat_index = 0; /* Index into chunk data */
/* Update the chunk length to the correct value for the IDAT chunk: */
file->chunk->chunk_length = rechunk_length(idat);
file->chunk->chunk_length = rechunk_length(idat, 1/*start*/);
/* Change the state to writing IDAT chunks */
file->state = STATE_IDAT;
@ -3473,7 +3473,8 @@ read_callback(png_structp png_ptr, png_bytep buffer, size_t count)
/* Write another IDAT chunk. Call rechunk_length to
* calculate the length required.
*/
length = chunk->chunk_length = rechunk_length(file->idat);
length = chunk->chunk_length =
rechunk_length(file->idat, 0/*end*/);
assert(type == png_IDAT);
file->write_count = 0; /* for the new chunk */
--(file->write_count); /* fake out the increment below */