|
 |
838728 |
From d81575693e52c25b43bd6a557f34190c377b958b Mon Sep 17 00:00:00 2001
|
|
|
838728 |
From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
|
|
|
838728 |
Date: Wed, 2 Aug 2017 19:21:19 -0500
|
|
|
838728 |
Subject: [PATCH] [libng16] Check length of all chunks except IDAT against user
|
|
|
838728 |
limit.
|
|
|
838728 |
|
|
|
838728 |
---
|
|
|
838728 |
pngpread.c | 15 +++++++++++++++
|
|
|
838728 |
pngrutil.c | 16 ++++++++++++++++
|
|
|
838728 |
2 files changed, 31 insertions(+)
|
|
|
838728 |
|
|
|
838728 |
diff --git a/pngpread.c b/pngpread.c
|
|
|
838728 |
index 6b65ba8..690df22 100644
|
|
|
838728 |
--- a/pngpread.c
|
|
|
838728 |
+++ b/pngpread.c
|
|
|
838728 |
@@ -227,6 +227,21 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr)
|
|
|
838728 |
png_ptr->mode |= PNG_HAVE_CHUNK_AFTER_IDAT;
|
|
|
838728 |
}
|
|
|
838728 |
|
|
|
838728 |
+ else
|
|
|
838728 |
+ {
|
|
|
838728 |
+ png_alloc_size_t limit = PNG_SIZE_MAX;
|
|
|
838728 |
+# ifdef PNG_SET_USER_LIMITS_SUPPORTED
|
|
|
838728 |
+ if (png_ptr->user_chunk_malloc_max > 0 &&
|
|
|
838728 |
+ png_ptr->user_chunk_malloc_max < limit)
|
|
|
838728 |
+ limit = png_ptr->user_chunk_malloc_max;
|
|
|
838728 |
+# elif PNG_USER_CHUNK_MALLOC_MAX > 0
|
|
|
838728 |
+ if (PNG_USER_CHUNK_MALLOC_MAX < limit)
|
|
|
838728 |
+ limit = PNG_USER_CHUNK_MALLOC_MAX;
|
|
|
838728 |
+# endif
|
|
|
838728 |
+ if (png_ptr->push_length > limit)
|
|
|
838728 |
+ png_chunk_error(png_ptr, "chunk data is too large");
|
|
|
838728 |
+ }
|
|
|
838728 |
+
|
|
|
838728 |
if (chunk_name == png_IHDR)
|
|
|
838728 |
{
|
|
|
838728 |
if (png_ptr->push_length != 13)
|
|
|
838728 |
diff --git a/pngrutil.c b/pngrutil.c
|
|
|
838728 |
index f6f0864..412ecbb 100644
|
|
|
838728 |
--- a/pngrutil.c
|
|
|
838728 |
+++ b/pngrutil.c
|
|
|
838728 |
@@ -177,6 +177,22 @@ png_read_chunk_header(png_structp png_ptr)
|
|
|
838728 |
/* Check to see if chunk name is valid. */
|
|
|
838728 |
png_check_chunk_name(png_ptr, png_ptr->chunk_name);
|
|
|
838728 |
|
|
|
838728 |
+ /* Check for too-large chunk length */
|
|
|
838728 |
+ if (png_ptr->chunk_name != png_IDAT)
|
|
|
838728 |
+ {
|
|
|
838728 |
+ png_alloc_size_t limit = PNG_SIZE_MAX;
|
|
|
838728 |
+# ifdef PNG_SET_USER_LIMITS_SUPPORTED
|
|
|
838728 |
+ if (png_ptr->user_chunk_malloc_max > 0 &&
|
|
|
838728 |
+ png_ptr->user_chunk_malloc_max < limit)
|
|
|
838728 |
+ limit = png_ptr->user_chunk_malloc_max;
|
|
|
838728 |
+# elif PNG_USER_CHUNK_MALLOC_MAX > 0
|
|
|
838728 |
+ if (PNG_USER_CHUNK_MALLOC_MAX < limit)
|
|
|
838728 |
+ limit = PNG_USER_CHUNK_MALLOC_MAX;
|
|
|
838728 |
+# endif
|
|
|
838728 |
+ if (length > limit)
|
|
|
838728 |
+ png_chunk_error(png_ptr, "chunk data is too large");
|
|
|
838728 |
+ }
|
|
|
838728 |
+
|
|
|
838728 |
#ifdef PNG_IO_STATE_SUPPORTED
|
|
|
838728 |
png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_DATA;
|
|
|
838728 |
#endif
|
|
|
838728 |
--
|
|
|
838728 |
2.21.0
|
|
|
838728 |
|