From d81575693e52c25b43bd6a557f34190c377b958b Mon Sep 17 00:00:00 2001
From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
Date: Wed, 2 Aug 2017 19:21:19 -0500
Subject: [PATCH] [libng16] Check length of all chunks except IDAT against user
limit.
---
pngpread.c | 15 +++++++++++++++
pngrutil.c | 16 ++++++++++++++++
2 files changed, 31 insertions(+)
diff --git a/pngpread.c b/pngpread.c
index 6b65ba8..690df22 100644
--- a/pngpread.c
+++ b/pngpread.c
@@ -227,6 +227,21 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr)
png_ptr->mode |= PNG_HAVE_CHUNK_AFTER_IDAT;
}
+ else
+ {
+ png_alloc_size_t limit = PNG_SIZE_MAX;
+# ifdef PNG_SET_USER_LIMITS_SUPPORTED
+ if (png_ptr->user_chunk_malloc_max > 0 &&
+ png_ptr->user_chunk_malloc_max < limit)
+ limit = png_ptr->user_chunk_malloc_max;
+# elif PNG_USER_CHUNK_MALLOC_MAX > 0
+ if (PNG_USER_CHUNK_MALLOC_MAX < limit)
+ limit = PNG_USER_CHUNK_MALLOC_MAX;
+# endif
+ if (png_ptr->push_length > limit)
+ png_chunk_error(png_ptr, "chunk data is too large");
+ }
+
if (chunk_name == png_IHDR)
{
if (png_ptr->push_length != 13)
diff --git a/pngrutil.c b/pngrutil.c
index f6f0864..412ecbb 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -177,6 +177,22 @@ png_read_chunk_header(png_structp png_ptr)
/* Check to see if chunk name is valid. */
png_check_chunk_name(png_ptr, png_ptr->chunk_name);
+ /* Check for too-large chunk length */
+ if (png_ptr->chunk_name != png_IDAT)
+ {
+ png_alloc_size_t limit = PNG_SIZE_MAX;
+# ifdef PNG_SET_USER_LIMITS_SUPPORTED
+ if (png_ptr->user_chunk_malloc_max > 0 &&
+ png_ptr->user_chunk_malloc_max < limit)
+ limit = png_ptr->user_chunk_malloc_max;
+# elif PNG_USER_CHUNK_MALLOC_MAX > 0
+ if (PNG_USER_CHUNK_MALLOC_MAX < limit)
+ limit = PNG_USER_CHUNK_MALLOC_MAX;
+# endif
+ if (length > limit)
+ png_chunk_error(png_ptr, "chunk data is too large");
+ }
+
#ifdef PNG_IO_STATE_SUPPORTED
png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_DATA;
#endif
--
2.21.0