From d81575693e52c25b43bd6a557f34190c377b958b Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Wed, 2 Aug 2017 19:21:19 -0500 Subject: [PATCH] [libng16] Check length of all chunks except IDAT against user limit. --- pngpread.c | 15 +++++++++++++++ pngrutil.c | 16 ++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/pngpread.c b/pngpread.c index 6b65ba8..690df22 100644 --- a/pngpread.c +++ b/pngpread.c @@ -227,6 +227,21 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr) png_ptr->mode |= PNG_HAVE_CHUNK_AFTER_IDAT; } + else + { + png_alloc_size_t limit = PNG_SIZE_MAX; +# ifdef PNG_SET_USER_LIMITS_SUPPORTED + if (png_ptr->user_chunk_malloc_max > 0 && + png_ptr->user_chunk_malloc_max < limit) + limit = png_ptr->user_chunk_malloc_max; +# elif PNG_USER_CHUNK_MALLOC_MAX > 0 + if (PNG_USER_CHUNK_MALLOC_MAX < limit) + limit = PNG_USER_CHUNK_MALLOC_MAX; +# endif + if (png_ptr->push_length > limit) + png_chunk_error(png_ptr, "chunk data is too large"); + } + if (chunk_name == png_IHDR) { if (png_ptr->push_length != 13) diff --git a/pngrutil.c b/pngrutil.c index f6f0864..412ecbb 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -177,6 +177,22 @@ png_read_chunk_header(png_structp png_ptr) /* Check to see if chunk name is valid. */ png_check_chunk_name(png_ptr, png_ptr->chunk_name); + /* Check for too-large chunk length */ + if (png_ptr->chunk_name != png_IDAT) + { + png_alloc_size_t limit = PNG_SIZE_MAX; +# ifdef PNG_SET_USER_LIMITS_SUPPORTED + if (png_ptr->user_chunk_malloc_max > 0 && + png_ptr->user_chunk_malloc_max < limit) + limit = png_ptr->user_chunk_malloc_max; +# elif PNG_USER_CHUNK_MALLOC_MAX > 0 + if (PNG_USER_CHUNK_MALLOC_MAX < limit) + limit = PNG_USER_CHUNK_MALLOC_MAX; +# endif + if (length > limit) + png_chunk_error(png_ptr, "chunk data is too large"); + } + #ifdef PNG_IO_STATE_SUPPORTED png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_DATA; #endif -- 2.21.0