[libpng16] Added PNG_SECURE feature to pnglibconf.dfa and new pngusr.dfa file
to reset the user limits to safe ones if PNG_SECURE is defined.
diff --git a/ANNOUNCE b/ANNOUNCE
index a0c4d1c..8c58b5d 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,5 +1,5 @@
-Libpng 1.6.0beta13 - February 21, 2012
+Libpng 1.6.0beta13 - February 24, 2012
This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version.
@@ -219,11 +219,13 @@
on iCCP chunk length. Also removed spurious casts that may hide problems
on 16-bit systems.
-Version 1.6.0beta13 [February 21, 2012]
+Version 1.6.0beta13 [February 24, 2012]
Eliminated redundant png_push_read_tEXt|zTXt|iTXt|unknown code from
pngpread.c and use the sequential png_handle_tEXt, etc., in pngrutil.c;
now that png_ptr->buffer is inaccessible to applications, the special
handling is no longer useful.
+ Added PNG_SECURE feature to pnglibconf.dfa and new pngusr.dfa file
+ to reset the user limits to safe ones if PNG_SECURE is defined.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
diff --git a/CHANGES b/CHANGES
index d7a7cf4..90ccd4a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3966,15 +3966,18 @@
Do not increase num_palette on invalid_index.
Relocated check for invalid palette index to pngrtran.c, after unpacking
the sub-8-bit pixels.
- Fixed CVE-2011-3026 buffer overrun bug. Deal more correctly with the test
- on iCCP chunk length. Also removed spurious casts that may hide problems
- on 16-bit systems.
+ Fixed CVE-2011-3026 buffer overrun bug. This bug was introduced when
+ iCCP chunk support was added at libpng-1.0.6. Deal more correctly with the
+ test on iCCP chunk length. Also removed spurious casts that may hide
+ problems on 16-bit systems.
-Version 1.6.0beta13 [February 21, 2012]
+Version 1.6.0beta13 [February 24, 2012]
Eliminated redundant png_push_read_tEXt|zTXt|iTXt|unknown code from
pngpread.c and use the sequential png_handle_tEXt, etc., in pngrutil.c;
now that png_ptr->buffer is inaccessible to applications, the special
handling is no longer useful.
+ Added PNG_SECURE feature to pnglibconf.dfa and new pngusr.dfa file
+ to reset the user limits to safe ones if PNG_SECURE is defined.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
diff --git a/pngusr.dfa b/pngusr.dfa
new file mode 100644
index 0000000..f366cd6
--- /dev/null
+++ b/pngusr.dfa
@@ -0,0 +1,16 @@
+# pngusr.dfa
+#
+# Build time configuration of libpng
+#
+# Enter build configuration options in this file
+#
+# Security settings: by default these limits are unset, you can change them
+# here by entering the appropriate values as #defines preceded by '@' (to cause
+# them to be passed through to the build of pnglibconf.h)
+@#ifdef PNG_SECURE
+@ /* Relatively secure values */
+@# define PNG_USER_WIDTH_MAX 1000000
+@# define PNG_USER_HEIGHT_MAX 1000000
+@# define PNG_USER_CHUNK_CACHE_MAX 128
+@# define PNG_USER_CHUNK_MALLOC_MAX 8000000
+@#endif
diff --git a/scripts/pnglibconf.dfa b/scripts/pnglibconf.dfa
index 82cc9a7..9e4ea3e 100644
--- a/scripts/pnglibconf.dfa
+++ b/scripts/pnglibconf.dfa
@@ -276,8 +276,8 @@
# Added at libpng-1.0.16 and 1.2.6. To accept all valid PNGs no matter
# how large, set these two limits to 0x7fffffff
-setting USER_WIDTH_MAX default 1000000
-setting USER_HEIGHT_MAX default 1000000
+setting USER_WIDTH_MAX default 0x7fffffff
+setting USER_HEIGHT_MAX default 0x7fffffff
# Added at libpng-1.2.43. To accept all valid PNGs no matter
# how large, set these two limits to 0.
diff --git a/scripts/pnglibconf.h.prebuilt b/scripts/pnglibconf.h.prebuilt
index 8708ddf..a3e9cdd 100644
--- a/scripts/pnglibconf.h.prebuilt
+++ b/scripts/pnglibconf.h.prebuilt
@@ -3,7 +3,7 @@
/* pnglibconf.h - library build configuration */
-/* Libpng 1.6.0beta13 - February 19, 2012 */
+/* Libpng 1.6.0beta13 - February 24, 2012 */
/* Copyright (c) 1998-2012 Glenn Randers-Pehrson */
@@ -33,8 +33,8 @@
#define PNG_sCAL_PRECISION 5
#define PNG_USER_CHUNK_CACHE_MAX 0
#define PNG_USER_CHUNK_MALLOC_MAX 0
-#define PNG_USER_HEIGHT_MAX 1000000
-#define PNG_USER_WIDTH_MAX 1000000
+#define PNG_USER_HEIGHT_MAX 0x7fffffff
+#define PNG_USER_WIDTH_MAX 0x7fffffff
#define PNG_WEIGHT_SHIFT 8
#define PNG_ZBUF_SIZE 8192
/* end of settings */
diff --git a/scripts/pnglibconf.mak b/scripts/pnglibconf.mak
index d12c6ed..c799fb7 100755
--- a/scripts/pnglibconf.mak
+++ b/scripts/pnglibconf.mak
@@ -42,13 +42,13 @@
$(COPY) dfn3.out $@
$(DELETE) dfn.c dfn1.out dfn2.out dfn3.out
-pnglibconf.dfn: $(srcdir)/scripts/pnglibconf.dfa $(srcdir)/scripts/options.awk $(srcdir)/pngconf.h $(DFA_XTRA)
+pnglibconf.dfn: $(srcdir)/scripts/pnglibconf.dfa $(srcdir)/scripts/options.awk $(srcdir)/pngconf.h $(srcdir)/pngusr.dfa
$(DELETE) $@ dfn1.out dfn2.out
$(ECHO) "Calling $(AWK) from scripts/pnglibconf.mak" >&2
$(ECHO) "If 'awk' crashes try a better awk (e.g. AWK='nawk')" >&2
$(AWK) -f $(srcdir)/scripts/options.awk out=dfn1.out version=search\
$(srcdir)/pngconf.h $(srcdir)/scripts/pnglibconf.dfa\
- $(DFA_XTRA) 1>&2
+ $(srcdir)/pngusr.dfa $(DFA_XTRA) 1>&2
$(AWK) -f $(srcdir)/scripts/options.awk out=dfn2.out dfn1.out 1>&2
$(COPY) dfn2.out $@
$(DELETE) dfn1.out dfn2.out
