[libpng16] Added PNG_SAFE_LIMITS feature to pnglibconf.dfa, pngpriv.h, and new pngusr.dfa
to reset the user limits to safe ones if PNG_SAFE_LIMITS is defined.
To enable, use CPPFLAGS=-DPNG_SAFE_LIMITS on the configure command
or put #define PNG_SAFE_LIMITS_SUPPORTED in pnglibconf.h.prebuilt.
(Reverted previous implementation of PNG_SECURE.)
diff --git a/ANNOUNCE b/ANNOUNCE
index 8c58b5d..81e3194 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -224,8 +224,10 @@
pngpread.c and use the sequential png_handle_tEXt, etc., in pngrutil.c;
now that png_ptr->buffer is inaccessible to applications, the special
handling is no longer useful.
- Added PNG_SECURE feature to pnglibconf.dfa and new pngusr.dfa file
- to reset the user limits to safe ones if PNG_SECURE is defined.
+ Added PNG_SAFE_LIMITS feature to pnglibconf.dfa, pngpriv.h, and new pngusr.dfa
+ to reset the user limits to safe ones if PNG_SAFE_LIMITS is defined.
+ To enable, use CPPFLAGS=-DPNG_SAFE_LIMITS on the configure command
+ or put #define PNG_SAFE_LIMITS_SUPPORTED in pnglibconf.h.prebuilt.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
diff --git a/CHANGES b/CHANGES
index 90ccd4a..411f4a2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3976,8 +3976,10 @@
pngpread.c and use the sequential png_handle_tEXt, etc., in pngrutil.c;
now that png_ptr->buffer is inaccessible to applications, the special
handling is no longer useful.
- Added PNG_SECURE feature to pnglibconf.dfa and new pngusr.dfa file
- to reset the user limits to safe ones if PNG_SECURE is defined.
+ Added PNG_SAFE_LIMITS feature to pnglibconf.dfa, pngpriv.h, and new pngusr.dfa
+ to reset the user limits to safe ones if PNG_SAFE_LIMITS is defined.
+ To enable, use CPPFLAGS=-DPNG_SAFE_LIMITS on the configure command
+ or put #define PNG_SAFE_LIMITS_SUPPORTED in pnglibconf.h.prebuilt.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
diff --git a/pngconf.h b/pngconf.h
index afb0092..b3a93c8 100644
--- a/pngconf.h
+++ b/pngconf.h
@@ -1,7 +1,7 @@
/* pngconf.h - machine configurable file for libpng
*
- * libpng version 1.6.0beta13 - February 19, 2012
+ * libpng version 1.6.0beta13 - February 24, 2012
*
* Copyright (c) 1998-2012 Glenn Randers-Pehrson
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
@@ -22,6 +22,26 @@
#ifndef PNGCONF_H
#define PNGCONF_H
+/* To do: Do all of this in scripts/pnglibconf.dfa */
+#ifdef PNG_SAFE_LIMITS_SUPPORTED
+# ifdef PNG_USER_WIDTH_MAX
+# undef PNG_USER_WIDTH_MAX
+# define PNG_USER_WIDTH_MAX 1000000L
+# endif
+# ifdef PNG_USER_HEIGHT_MAX
+# undef PNG_USER_HEIGHT_MAX
+# define PNG_USER_HEIGHT_MAX 1000000L
+# endif
+# ifdef PNG_USER_CHUNK_MALLOC_MAX
+# undef PNG_USER_CHUNK_MALLOC_MAX
+# define PNG_USER_CHUNK_MALLOC_MAX 4000000L
+# endif
+# ifdef PNG_USER_CHUNK_CACHE_MAX
+# undef PNG_USER_CHUNK_CACHE_MAX
+# define PNG_USER_CHUNK_CACHE_MAX 128
+# endif
+#endif
+
#ifndef PNG_BUILDING_SYMBOL_TABLE /* else includes may cause problems */
/* From libpng 1.6.0 libpng requires an ANSI X3.159-1989 ("ISOC90") compliant C
diff --git a/pngpriv.h b/pngpriv.h
index 617e372..9062367 100644
--- a/pngpriv.h
+++ b/pngpriv.h
@@ -194,6 +194,45 @@
# define PNG_DLL_EXPORT
#endif
+/* SECURITY and SAFETY:
+ *
+ * By default libpng is built without any internal limits on image size,
+ * individual heap (png_malloc) allocations or the total amount of memory used.
+ * If PNG_SAFE_LIMITS_SUPPORTED is defined, however, the limits below are used
+ * (unless individually overridden). These limits are believed to be fairly
+ * safe, but builders of secure systems should verify the values against the
+ * real system capabilities.
+ */
+#ifdef PNG_SAFE_LIMITS_SUPPORTED
+ /* 'safe' limits */
+# ifndef PNG_USER_WIDTH_MAX
+# define PNG_USER_WIDTH_MAX 1000000
+# endif
+# ifndef PNG_USER_HEIGHT_MAX
+# define PNG_USER_HEIGHT_MAX 1000000
+# endif
+# ifndef PNG_USER_CHUNK_CACHE_MAX
+# define PNG_USER_CHUNK_CACHE_MAX 128
+# endif
+# ifndef PNG_USER_CHUNK_MALLOC_MAX
+# define PNG_USER_CHUNK_MALLOC_MAX 8000000
+# endif
+#else
+ /* values for no limits */
+# ifndef PNG_USER_WIDTH_MAX
+# define PNG_USER_WIDTH_MAX 0x7fffffff
+# endif
+# ifndef PNG_USER_HEIGHT_MAX
+# define PNG_USER_HEIGHT_MAX 0x7fffffff
+# endif
+# ifndef PNG_USER_CHUNK_CACHE_MAX
+# define PNG_USER_CHUNK_CACHE_MAX 0
+# endif
+# ifndef PNG_USER_CHUNK_MALLOC_MAX
+# define PNG_USER_CHUNK_MALLOC_MAX 0
+# endif
+#endif
+
/* This is used for 16 bit gamma tables -- only the top level pointers are
* const; this could be changed:
*/
diff --git a/scripts/pnglibconf.dfa b/scripts/pnglibconf.dfa
index 9e4ea3e..594c890 100644
--- a/scripts/pnglibconf.dfa
+++ b/scripts/pnglibconf.dfa
@@ -27,7 +27,7 @@
# The syntax is detailed in scripts/options.awk, this is a summary
# only:
#
-# setting <name> [requires ...] [default]
+# setting <name> [default]
# #define PNG_<name> <value> /* value comes from current setting */
# option <name> [requires ...] [if ...] [enables ...] [disabled]
# #define PNG_<name>_SUPPORTED if the requirements are met and
@@ -273,20 +273,22 @@
option SET_USER_LIMITS enables SET_CHUNK_MALLOC_LIMIT
-# Added at libpng-1.0.16 and 1.2.6. To accept all valid PNGs no matter
-# how large, set these two limits to 0x7fffffff
+# Libpng limits.
+#
+# If these settings are *not* set libpng will not limit the size of
+# images or the size of data in ancilliary chunks. This does lead to
+# security issues if PNG files come from untrusted sources.
+setting USER_WIDTH_MAX
+setting USER_HEIGHT_MAX
+setting USER_CHUNK_CACHE_MAX
+setting USER_CHUNK_MALLOC_MAX
-setting USER_WIDTH_MAX default 0x7fffffff
-setting USER_HEIGHT_MAX default 0x7fffffff
-
-# Added at libpng-1.2.43. To accept all valid PNGs no matter
-# how large, set these two limits to 0.
-
-setting USER_CHUNK_CACHE_MAX default 0
-
-# Added at libpng-1.2.43
-
-setting USER_CHUNK_MALLOC_MAX default 0
+# To default all these settings to values that are large but probably
+# safe turn the SAFE_LIMITS option on; this will cause the value in
+# pngpriv.h to be used. Individual values can also be set, simply set
+# them in pngusr.dfa with '@#define PNG_setting value' lines.
+option SAFE_LIMITS enables USER_LIMITS disabled
+= SAFE_LIMITS SAFE_LIMITS
# All of the following options relate to code capabilities for
# processing image data before creating a PNG or after reading one.
diff --git a/scripts/pnglibconf.h.prebuilt b/scripts/pnglibconf.h.prebuilt
index a3e9cdd..f4079e2 100644
--- a/scripts/pnglibconf.h.prebuilt
+++ b/scripts/pnglibconf.h.prebuilt
@@ -31,10 +31,6 @@
#define PNG_QUANTIZE_GREEN_BITS 5
#define PNG_QUANTIZE_RED_BITS 5
#define PNG_sCAL_PRECISION 5
-#define PNG_USER_CHUNK_CACHE_MAX 0
-#define PNG_USER_CHUNK_MALLOC_MAX 0
-#define PNG_USER_HEIGHT_MAX 0x7fffffff
-#define PNG_USER_WIDTH_MAX 0x7fffffff
#define PNG_WEIGHT_SHIFT 8
#define PNG_ZBUF_SIZE 8192
/* end of settings */
