Google Git
Sign in
flutter / third_party / libpng / 347538efbdc21b8df684ebd92d37400b3ce85d55^! / .
commit347538efbdc21b8df684ebd92d37400b3ce85d55[log] [tgz]
authorGlenn Randers-Pehrson <glennrp at users.sourceforge.net>Wed Aug 02 19:21:19 2017 -0500
committerGlenn Randers-Pehrson <glennrp at users.sourceforge.net>Wed Aug 02 19:21:19 2017 -0500
tree9188579fe41cccb7e3ce3d3c26689c8562d69d28
parent2b37d46564b48efa0298f57134c6a555c223ee44 [diff]
[libng16] Check length of all chunks except IDAT against user limit.

diff --git a/ANNOUNCE b/ANNOUNCE
index e518932..bd41488 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE

@@ -1,4 +1,4 @@
-Libpng 1.6.32beta07 - August 2, 2017
+Libpng 1.6.32beta07 - August 3, 2017
 
 This is not intended to be a public release. It will be replaced
 within a few weeks by a public version or by another test version.
@@ -54,7 +54,8 @@
 Version 1.6.32beta06 [August 2, 2017]
   Removed png_get_eXIf_1() and png_set_eXIf_1().
 
-Version 1.6.32beta07 [August 2, 2017]
+Version 1.6.32beta07 [August 3, 2017]
+  Check length of all chunks except IDAT against user limit.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

diff --git a/CHANGES b/CHANGES
index 82a7878..7544d76 100644
--- a/CHANGES
+++ b/CHANGES

@@ -5937,7 +5937,8 @@
 Version 1.6.32beta06 [August 2, 2017]
   Removed png_get_eXIf_1() and png_set_eXIf_1().
 
-Version 1.6.32beta07 [August 2, 2017]
+Version 1.6.32beta07 [August 3, 2017]
+  Check length of all chunks except IDAT against user limit.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

diff --git a/pngpread.c b/pngpread.c
index 650ba1e..45b23a7 100644
--- a/pngpread.c
+++ b/pngpread.c

@@ -223,6 +223,21 @@
          png_benign_error(png_ptr, "Too many IDATs found");
    }
 
+   else
+   {
+      png_alloc_size_t limit = PNG_SIZE_MAX;
+# ifdef PNG_SET_USER_LIMITS_SUPPORTED
+      if (png_ptr->user_chunk_malloc_max > 0 &&
+          png_ptr->user_chunk_malloc_max < limit)
+         limit = png_ptr->user_chunk_malloc_max;
+# elif PNG_USER_CHUNK_MALLOC_MAX > 0
+      if (PNG_USER_CHUNK_MALLOC_MAX < limit)
+         limit = PNG_USER_CHUNK_MALLOC_MAX;
+# endif
+      if (png_ptr->push_length > limit)
+         png_chunk_error(png_ptr, "chunk data is too large");
+   }
+
    if (chunk_name == png_IHDR)
    {
       if (png_ptr->push_length != 13)

diff --git a/pngrutil.c b/pngrutil.c
index 67c0875..60325f9 100644
--- a/pngrutil.c
+++ b/pngrutil.c

@@ -181,6 +181,22 @@
    /* Check to see if chunk name is valid. */
    png_check_chunk_name(png_ptr, png_ptr->chunk_name);
 
+   /* Check for too-large chunk length */
+   if (png_ptr->chunk_name != png_IDAT)
+   {
+      png_alloc_size_t limit = PNG_SIZE_MAX;
+# ifdef PNG_SET_USER_LIMITS_SUPPORTED
+      if (png_ptr->user_chunk_malloc_max > 0 &&
+          png_ptr->user_chunk_malloc_max < limit)
+         limit = png_ptr->user_chunk_malloc_max;
+# elif PNG_USER_CHUNK_MALLOC_MAX > 0
+      if (PNG_USER_CHUNK_MALLOC_MAX < limit)
+         limit = PNG_USER_CHUNK_MALLOC_MAX;
+# endif
+      if (length > limit)
+         png_chunk_error(png_ptr, "chunk data is too large");
+   }
+
 #ifdef PNG_IO_STATE_SUPPORTED
    png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_DATA;
 #endif