head 1.12; access; symbols OPENPKG_E1_MP_HEAD:1.10 OPENPKG_E1_MP:1.10 OPENPKG_E1_MP_2_STABLE:1.7.8.1 OPENPKG_E1_FP:1.7.8.1 OPENPKG_2_STABLE_MP:1.11 OPENPKG_2_STABLE_20061018:1.7.8.1 OPENPKG_2_STABLE_20060622:1.7 OPENPKG_2_STABLE:1.7.0.8 OPENPKG_2_STABLE_BP:1.7 OPENPKG_2_5_RELEASE:1.7 OPENPKG_2_5_SOLID:1.7.0.6 OPENPKG_2_5_SOLID_BP:1.7 OPENPKG_2_4_RELEASE:1.7 OPENPKG_2_4_SOLID:1.7.0.4 OPENPKG_2_4_SOLID_BP:1.7 OPENPKG_CW_FP:1.7 OPENPKG_2_3_RELEASE:1.7 OPENPKG_2_3_SOLID:1.7.0.2 OPENPKG_2_3_SOLID_BP:1.7 OPENPKG_2_2_RELEASE:1.4 OPENPKG_2_2_SOLID:1.4.0.2 OPENPKG_2_2_SOLID_BP:1.4 OPENPKG_2_1_RELEASE:1.3 OPENPKG_2_1_SOLID:1.3.0.2 OPENPKG_2_1_SOLID_BP:1.3 OPENPKG_1_3_SOLID:1.2.0.2 OPENPKG_2_0_RELEASE:1.1 OPENPKG_2_0_SOLID:1.1.0.2 OPENPKG_2_0_SOLID_BP:1.1; locks; strict; comment @# @; 1.12 date 2009.03.20.19.35.06; author rse; state Exp; branches; next 1.11; commitid 2btyN85lXZ8P6OGt; 1.11 date 2007.03.14.18.39.22; author rse; state Exp; branches; next 1.10; commitid MLMjAefhoZptu5as; 1.10 date 2006.11.01.11.15.07; author rse; state Exp; branches; next 1.9; commitid UCN4yuSUIKv7jXSr; 1.9 date 2006.10.14.09.20.20; author rse; state Exp; branches; next 1.8; commitid YJDxSweBfVzCfDQr; 1.8 date 2006.10.12.18.48.11; author rse; state Exp; branches; next 1.7; commitid hlHhas5wP4lpsqQr; 1.7 date 2004.12.17.11.50.48; author ms; state Exp; branches 1.7.8.1; next 1.6; 1.6 date 2004.10.28.10.49.34; author ms; state Exp; branches; next 1.5; 1.5 date 2004.10.28.08.51.38; author ms; state Exp; branches; next 1.4; 1.4 date 2004.08.04.14.01.52; author thl; state Exp; branches; next 1.3; 1.3 date 2004.07.01.10.30.05; author tho; state Exp; branches 1.3.2.1; next 1.2; 1.2 date 2004.04.29.15.06.56; author thl; state Exp; branches 1.2.2.1; next 1.1; 1.1 date 2004.02.12.08.10.48; author rse; state Exp; branches 1.1.2.1; next ; 1.7.8.1 date 2006.10.16.14.54.00; author rse; state Exp; branches; next 1.7.8.2; commitid iZxwRSmmWscPXUQr; 1.7.8.2 date 2006.12.22.19.13.28; author thl; state Exp; branches; next 1.7.8.3; commitid 2LefOfqsS8nsjyZr; 1.7.8.3 date 2007.03.18.23.32.15; author thl; state Exp; branches; next ; commitid j886gsownDQWXCas; 1.3.2.1 date 2004.08.04.14.02.58; author thl; state Exp; branches; next ; 1.2.2.1 date 2004.04.29.19.56.25; author thl; state Exp; branches; next 1.2.2.2; 1.2.2.2 date 2004.07.06.13.41.39; author tho; state Exp; branches; next ; 1.1.2.1 date 2004.04.29.16.17.51; author thl; state Exp; branches; next 1.1.2.2; 1.1.2.2 date 2004.07.06.13.33.23; author tho; state Exp; branches; next 1.1.2.3; 1.1.2.3 date 2004.08.04.14.05.38; author thl; state Exp; branches; next ; desc @@ 1.12 log @upgrading package: pdflib 7.0.2 -> 7.0.4 @ text @Index: config/mkmainlib.inc.in --- config/mkmainlib.inc.in.orig 2008-02-28 10:42:52 +0100 +++ config/mkmainlib.inc.in 2008-02-29 19:09:25 +0100 @@@@ -29,7 +29,7 @@@@ @@-if test "$(WITH_SHARED)" = "no"; then \ cp .libs/$(MAINLIBNAME) .libs/$(MAINLIBNAME)i;\ fi - $(LIBTOOL) $(INSTALL_DATA) $(MAINLIBNAME) $(DESTDIR)$(libdir); + $(LIBTOOL) --mode=install $(INSTALL_DATA) $(MAINLIBNAME) $(DESTDIR)$(libdir); @@-if test "$(WITH_SHARED)" = "yes"; then \ $(LIBTOOL) -n --finish $(DESTDIR)$(libdir);\ else\ Index: configure --- configure.orig 2008-02-28 10:42:52 +0100 +++ configure 2008-02-29 18:46:33 +0100 @@@@ -9320,6 +9320,7 @@@@ # zlib +if [ ".$FLATELIBINC" = . -a ".$FLATELIBLINK" = . ]; then if test -d libs/flate ; then FLATELIBINC="-I\$(top_builddir)/libs/flate" FLATELIBLINK="\$(top_builddir)/libs/flate/libz\$(LA)" @@@@ -9328,10 +9329,12 @@@@ FLATELIBINC="" FLATELIBLINK="" fi +fi # pnglib +if [ ".$PNGLIBINC" = . -a ".$PNGLIBLINK" = . ]; then if test -d libs/png ; then PNGLIBINC="-I\$(top_builddir)/libs/png" PNGLIBLINK="\$(top_builddir)/libs/png/libpng\$(LA)" @@@@ -9340,10 +9343,12 @@@@ PNGLIBINC="" PNGLIBLINK="" fi +fi # tifflib +if [ ".$TIFFLIBINC" = . -a ".$TIFFLIBLINK" = . ]; then if test -d libs/tiff ; then TIFFLIBINC="-I\$(top_builddir)/libs/tiff" TIFFLIBLINK="\$(top_builddir)/libs/tiff/libtiff\$(LA)" @@@@ -9352,10 +9357,12 @@@@ TIFFLIBINC="" TIFFLIBLINK="" fi +fi # jpeglib +if [ ".$JPEGLIBINC" = . -a ".$JPEGLIBLINK" = . ]; then if test -d libs/jpeg ; then JPEGLIBINC="-I\$(top_builddir)/libs/jpeg" JPEGLIBLINK="\$(top_builddir)/libs/jpeg/libjpeg\$(LA)" @@@@ -9364,6 +9371,7 @@@@ JPEGLIBINC="" JPEGLIBLINK="" fi +fi Index: libs/tiff/tif_ojpeg.c --- libs/tiff/tif_ojpeg.c.orig 2008-02-28 10:42:58 +0100 +++ libs/tiff/tif_ojpeg.c 2008-02-29 18:46:33 +0100 @@@@ -141,7 +141,9 @@@@ #undef JPEG_INTERNALS /* Hack for files produced by Wang Imaging application on Microsoft Windows */ +#if 0 extern void jpeg_reset_huff_decode(j_decompress_ptr); +#endif /* PDFlib GmbH */ #if defined(__ia64__) && defined (__linux__) @@@@ -1110,7 +1112,9 @@@@ "jdshuff.c", if Ken Murchison's lossless-Huffman patch is applied), and we invoke that interface here after decoding each "strip". */ +#if 0 if (sp->is_WANG) jpeg_reset_huff_decode(&sp->cinfo.d); +#endif return 1; } @@@@ -1209,7 +1213,9 @@@@ "jdshuff.c", if Ken Murchison's lossless-Huffman patch is applied), and we invoke that interface here after decoding each "strip". */ +#if 0 if (sp->is_WANG) jpeg_reset_huff_decode(&sp->cinfo.d); +#endif return 1; } @ 1.11 log @upgrading package: pdflib 7.0.0p3 -> 7.0.1 @ text @d2 2 a3 2 --- config/mkmainlib.inc.in.orig 2006-10-30 22:21:53 +0100 +++ config/mkmainlib.inc.in 2006-11-01 12:09:24 +0100 d8 2 a9 2 - $(LIBTOOL) $(INSTALL_DATA) $(MAINLIBNAME) $(libdir); + $(LIBTOOL) --mode=install $(INSTALL_DATA) $(MAINLIBNAME) $(libdir); d11 1 a11 1 $(LIBTOOL) -n --finish $(libdir);\ d14 3 a16 3 --- configure.orig 2006-10-30 22:21:53 +0100 +++ configure 2006-11-01 12:09:24 +0100 @@@@ -9152,6 +9152,7 @@@@ d24 1 a24 1 @@@@ -9160,10 +9161,12 @@@@ d37 1 a37 1 @@@@ -9172,10 +9175,12 @@@@ d50 1 a50 1 @@@@ -9184,10 +9189,12 @@@@ d63 1 a63 1 @@@@ -9196,6 +9203,7 @@@@ d72 2 a73 2 --- libs/tiff/tif_ojpeg.c.orig 2006-10-30 22:22:01 +0100 +++ libs/tiff/tif_ojpeg.c 2006-11-01 12:09:24 +0100 @ 1.10 log @upgrading package: pdflib 7.0.0p1 -> 7.0.0p3 @ text @d1 3 a3 3 Index: config/mkmainlib.inc --- config/mkmainlib.inc.orig 2006-10-30 22:21:53 +0100 +++ config/mkmainlib.inc 2006-11-01 12:09:24 +0100 @ 1.9 log @fix tracking by adjusting URLs; upgrade to latest version; fix building against OpenPKG's stock JPEG library by disabling some hacks in PDFLib's TIFF library which allow reading for invalid TIFF files @ text @d2 3 a4 4 diff -Nau config/mkmainlib.inc.orig config/mkmainlib.inc --- config/mkmainlib.inc.orig 2004-01-26 14:30:23.000000000 +0100 +++ config/mkmainlib.inc 2004-02-12 09:08:24.000000000 +0100 @@@@ -28,7 +28,7 @@@@ d14 3 a16 17 diff -Nau configure.orig configure --- configure.orig 2004-07-07 20:29:08.000000000 +0200 +++ configure 2004-10-27 17:04:45.110483011 +0200 @@@@ -3183,12 +3183,9 @@@@ fi; ac_sys_arch=`uname -p` - DEFINES="$DEFINES -mt" - EXTERNALLIBS="$EXTERNALLIBS -mt" if test "$WITH_64BIT" = "yes"; then PLATFORM="-DPDF_PLATFORM=\\\"\"SunOS64\"\\\"" - DEFINES="$DEFINES -xarch=v9"; if test "$ac_sys_arch" = "sparc" ; then DEFINES="$DEFINES -DPDC_PF_SOLARIS_SPARC64" fi @@@@ -8908,6 +8908,7 @@@@ d24 1 a24 1 @@@@ -8917,10 +8918,12 @@@@ d37 1 a37 1 @@@@ -8930,10 +8933,12 @@@@ d50 1 a50 1 @@@@ -8943,10 +8948,12 @@@@ d63 1 a63 1 @@@@ -8956,6 +8963,7 @@@@ a70 1 d72 2 a73 2 --- libs/tiff/tif_ojpeg.c.orig 2006-10-12 10:24:39 +0200 +++ libs/tiff/tif_ojpeg.c 2006-10-14 11:16:02 +0200 @ 1.8 log @remove crap from patch and fix building under Solaris @ text @d86 34 @ 1.7 log @port again to standard jpeg library by using new jinclude.h from >= jpeg-6b-20041217, and... upgrading package: pdflib 6.0.0p1 -> 6.0.1 @ text @d18 13 a85 50 Index: libs/tiff/tif_ojpeg.c diff -Nau libs/tiff/tif_ojpeg.c.orig libs/tiff/tif_ojpeg.c --- libs/tiff/tif_ojpeg.c.orig 2004-07-07 20:29:14 +0200 +++ libs/tiff/tif_ojpeg.c 2004-10-28 12:27:57 +0200 @@@@ -140,9 +140,6 @@@@ #undef JPEG_CJPEG_DJPEG #undef JPEG_INTERNALS -/* Hack for files produced by Wang Imaging application on Microsoft Windows */ -extern void jpeg_reset_huff_decode(j_decompress_ptr); - /* PDFlib GmbH */ #if defined(__ia64__) && defined (__linux__) #define PDFLIB_ALIGN16 @@@@ -1085,17 +1082,6 @@@@ buf += bytesperline; ++tif->tif_row; }; - - /* BEWARE OF KLUDGE: If our input file was produced by Microsoft's Wang - Imaging for Windows application, the DC coefficients of - each JPEG image component (Y,Cb,Cr) must be reset at the end of each TIFF - "strip", and any JPEG data bits remaining in the current Byte of the - decoder's input buffer must be discarded. To do so, we create an "ad hoc" - interface in the "jdhuff.c" module of IJG JPEG Library Version 6 (module - "jdshuff.c", if Ken Murchison's lossless-Huffman patch is applied), and we - invoke that interface here after decoding each "strip". - */ - if (sp->is_WANG) jpeg_reset_huff_decode(&sp->cinfo.d); return 1; } @@@@ -1184,17 +1170,6 @@@@ buf += sp->bytesperline; ++tif->tif_row; }; - - /* BEWARE OF KLUDGE: If our input file was produced by Microsoft's Wang - Imaging for Windows application, the DC coefficients of - each JPEG image component (Y,Cb,Cr) must be reset at the end of each TIFF - "strip", and any JPEG data bits remaining in the current Byte of the - decoder's input buffer must be discarded. To do so, we create an "ad hoc" - interface in the "jdhuff.c" module of IJG JPEG Library Version 6 (module - "jdshuff.c", if Ken Murchison's lossless-Huffman patch is applied), and we - invoke that interface here after decoding each "strip". - */ - if (sp->is_WANG) jpeg_reset_huff_decode(&sp->cinfo.d); return 1; } @ 1.7.8.1 log @Mass merge from CURRENT to 2-STABLE (all packages except those of JUNK class) @ text @a17 13 @@@@ -3183,12 +3183,9 @@@@ fi; ac_sys_arch=`uname -p` - DEFINES="$DEFINES -mt" - EXTERNALLIBS="$EXTERNALLIBS -mt" if test "$WITH_64BIT" = "yes"; then PLATFORM="-DPDF_PLATFORM=\\\"\"SunOS64\"\\\"" - DEFINES="$DEFINES -xarch=v9"; if test "$ac_sys_arch" = "sparc" ; then DEFINES="$DEFINES -DPDC_PF_SOLARIS_SPARC64" fi a72 1 d74 5 a78 3 --- libs/tiff/tif_ojpeg.c.orig 2006-10-12 10:24:39 +0200 +++ libs/tiff/tif_ojpeg.c 2006-10-14 11:16:02 +0200 @@@@ -141,7 +141,9 @@@@ d81 3 a83 5 /* Hack for files produced by Wang Imaging application on Microsoft Windows */ +#if 0 extern void jpeg_reset_huff_decode(j_decompress_ptr); +#endif d86 16 a101 7 @@@@ -1110,7 +1112,9 @@@@ "jdshuff.c", if Ken Murchison's lossless-Huffman patch is applied), and we invoke that interface here after decoding each "strip". */ +#if 0 if (sp->is_WANG) jpeg_reset_huff_decode(&sp->cinfo.d); +#endif d105 15 a119 7 @@@@ -1209,7 +1213,9 @@@@ "jdshuff.c", if Ken Murchison's lossless-Huffman patch is applied), and we invoke that interface here after decoding each "strip". */ +#if 0 if (sp->is_WANG) jpeg_reset_huff_decode(&sp->cinfo.d); +#endif @ 1.7.8.2 log @MFC: make up leeway for 2_STABLE by virtue of build-time results @ text @d2 4 a5 3 --- config/mkmainlib.inc.orig 2006-10-30 22:21:53 +0100 +++ config/mkmainlib.inc 2006-11-01 12:09:24 +0100 @@@@ -29,7 +29,7 @@@@ d15 17 a31 3 --- configure.orig 2006-10-30 22:21:53 +0100 +++ configure 2006-11-01 12:09:24 +0100 @@@@ -9152,6 +9152,7 @@@@ d39 1 a39 1 @@@@ -9160,10 +9161,12 @@@@ d52 1 a52 1 @@@@ -9172,10 +9175,12 @@@@ d65 1 a65 1 @@@@ -9184,10 +9189,12 @@@@ d78 1 a78 1 @@@@ -9196,6 +9203,7 @@@@ d86 1 d88 2 a89 2 --- libs/tiff/tif_ojpeg.c.orig 2006-10-30 22:22:01 +0100 +++ libs/tiff/tif_ojpeg.c 2006-11-01 12:09:24 +0100 @ 1.7.8.3 log @MFC: make up leeway for 2_STABLE by virtue of build-time results @ text @d1 3 a3 3 Index: config/mkmainlib.inc.in --- config/mkmainlib.inc.in.orig 2006-10-30 22:21:53 +0100 +++ config/mkmainlib.inc.in 2006-11-01 12:09:24 +0100 @ 1.6 log @whip this misbehaving metadistro into shape by removing png, zlib, and jpeg aggregate sources (sadly the composite tiff sources are so badly hacked that they cannot be removed) @ text @d18 1 a18 1 @@@@ -8853,6 +8853,7 @@@@ d26 1 a26 1 @@@@ -8862,10 +8863,12 @@@@ d39 1 a39 1 @@@@ -8875,10 +8878,12 @@@@ d52 1 a52 1 @@@@ -8888,10 +8893,12 @@@@ d65 1 a65 1 @@@@ -8901,6 +8908,7 @@@@ d84 4 a87 4 /* On some machines, it may be worthwhile to use "_setjmp()" or "sigsetjmp()" instead of "setjmp()". These macros make it easier: */ @@@@ -1042,17 +1039,6 @@@@ d105 1 a105 1 @@@@ -1138,17 +1124,6 @@@@ @ 1.5 log @modifying package: pdflib-6.0.0p1 20040804 -> 20041028 @ text @d2 1 d15 1 d18 14 a31 1 @@@@ -8866,6 +8866,7 @@@@ d39 1 a39 1 @@@@ -8875,6 +8876,7 @@@@ d47 76 @ 1.4 log @SA-2004.035-png; CAN-2004-0597, CAN-2004-0598, CAN-2004-0599 @ text @d13 16 a28 22 Steve G Libpng accesses memory that is out of bounds when creating an error message Index: pngerror.c --- libs/png/pngerror.c.orig 2002-10-03 13:32:27.000000000 +0200 +++ libs/png/pngerror.c 2004-04-28 13:24:22.000000000 +0200 @@@@ -135,10 +135,13 @@@@ buffer[iout] = 0; else { + png_size_t len; + if ((len = png_strlen(error_message)) > 63) + len = 63; buffer[iout++] = ':'; buffer[iout++] = ' '; - png_memcpy(buffer+iout, error_message, 64); - buffer[iout+63] = 0; + png_memcpy(buffer+iout, error_message, len); + buffer[iout+len] = 0; } } a29 94 Index: libs/png/pngrtran.c --- libs/png/pngrtran.c.orig 2004-01-26 14:30:33 +0100 +++ libs/png/pngrtran.c 2004-07-01 12:10:25 +0200 @@@@ -1890,8 +1890,8 @@@@ /* This changes the data from GG to GGXX */ if (flags & PNG_FLAG_FILLER_AFTER) { - png_bytep sp = row + (png_size_t)row_width; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 2; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 1; i < row_width; i++) { *(--dp) = hi_filler; @@@@ -1908,8 +1908,8 @@@@ /* This changes the data from GG to XXGG */ else { - png_bytep sp = row + (png_size_t)row_width; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 2; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 0; i < row_width; i++) { *(--dp) = *(--sp); @@@@ -1966,8 +1966,8 @@@@ /* This changes the data from RRGGBB to RRGGBBXX */ if (flags & PNG_FLAG_FILLER_AFTER) { - png_bytep sp = row + (png_size_t)row_width * 3; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 6; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 1; i < row_width; i++) { *(--dp) = hi_filler; @@@@ -1988,8 +1988,8 @@@@ /* This changes the data from RRGGBB to XXRRGGBB */ else { - png_bytep sp = row + (png_size_t)row_width * 3; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 6; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 0; i < row_width; i++) { *(--dp) = *(--sp); http://www.graphicsmagick.org/libpng/beta/patches/INFO.txt > [Problems discovered and fixed by] Chris Evans > > 1) Remotely exploitable stack-based buffer overrun in png_handle_tRNS (pngrutil.c) > 2) Dangerous code in png_handle_sBIT (pngrutil.c) CAN-2004-0597 > 3) Possible NULL-pointer crash in png_handle_iCCP (pngrutil.c) > this flaw is duplicated in multiple other locations. CAN-2004-0598 > 4) Theoretical integer overflow in allocation in png_handle_sPLT (pngrutil.c) > 5) Integer overflow in png_read_png (pngread.c) > 6) Integer overflows during progressive reading. > 7) Other flaws. [integer overflows] CAN-2004-0599 http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch03-trns-chunk-overflow.txt Use to patch libpng-1.0.9 through 1.2.5 This fixes the most dangerous of the newly reported vulnerabilities diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch03/pngrutil.c --- libs/png/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ libs/png/pngrutil.c Fri Jul 23 18:54:36 2004 @@@@ -1241,7 +1241,8 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Missing PLTE before tRNS"); } - else if (length > (png_uint_32)png_ptr->num_palette) + if (length > (png_uint_32)png_ptr->num_palette || + length > PNG_MAX_PALETTE_LENGTH) { png_warning(png_ptr, "Incorrect tRNS chunk length"); png_crc_finish(png_ptr, length); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch04-get-uint-31.txt Use to patch libpng-1.0.6 through 1.2.5 This patch defines PNG_UINT_31_MAX, PNG_UINT_32_MAX, PNG_SIZE_MAX, and png_get_uint_31(), which are needed by patches 05-08. diff -r -U 3 libpng-1.2.5/png.h libpng-1.2.5patch04/png.h --- libs/png/png.h.orig Thu Oct 3 06:32:26 2002 +++ libs/png/png.h Fri Jul 23 18:56:27 2004 @@@@ -833,7 +833,11 @@@@ typedef png_info FAR * FAR * png_infopp; a30 7 /* Maximum positive integer used in PNG is (2^31)-1 */ -#define PNG_MAX_UINT ((png_uint_32)0x7fffffffL) +#define PNG_UINT_31_MAX ((png_uint_32)0x7fffffffL) +#define PNG_UINT_32_MAX (~((png_uint_32)0)) +#define PNG_SIZE_MAX (~((png_size_t)0)) +/* PNG_MAX_UINT is deprecated; use PNG_UINT_31_MAX instead. */ +#define PNG_MAX_UINT PNG_UINT_31_MAX a31 280 /* These describe the color_type field in png_info. */ /* color type masks */ @@@@ -2655,6 +2659,8 @@@@ PNG_EXTERN png_uint_32 png_get_uint_32 PNGARG((png_bytep buf)); PNG_EXTERN png_uint_16 png_get_uint_16 PNGARG((png_bytep buf)); #endif /* !PNG_READ_BIG_ENDIAN_SUPPORTED */ +PNG_EXTERN png_uint_32 png_get_uint_31 PNGARG((png_structp png_ptr, + png_bytep buf)); /* Initialize png_ptr struct for reading, and allocate any other memory. * (old interface - DEPRECATED - use png_create_read_struct instead). diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch04/pngrutil.c --- libs/png/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ libs/png/pngrutil.c Fri Jul 23 18:56:27 2004 @@@@ -38,6 +38,14 @@@@ # endif #endif +png_uint_32 /* PRIVATE */ +png_get_uint_31(png_structp png_ptr, png_bytep buf) +{ + png_uint_32 i = png_get_uint_32(buf); + if (i > PNG_UINT_31_MAX) + png_error(png_ptr, "PNG unsigned integer out of range.\n"); + return (i); +} #ifndef PNG_READ_BIG_ENDIAN_SUPPORTED /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */ png_uint_32 /* PRIVATE */ http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch06-pngread-chunklength.txt Use to patch libpng-1.0.13 through 1.0.15 and 1.2.2 through 1.2.5. Requires libpng-patch04-* diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5patch06/pngread.c --- libs/png/pngread.c.orig Thu Oct 3 06:32:29 2002 +++ libs/png/pngread.c Fri Jul 23 18:59:57 2004 @@@@ -384,7 +384,7 @@@@ png_uint_32 length; png_read_data(png_ptr, chunk_length, 4); - length = png_get_uint_32(chunk_length); + length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); @@@@ -392,9 +392,6 @@@@ png_debug2(0, "Reading %s chunk, length=%lu.\n", png_ptr->chunk_name, length); - if (length > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); - /* This should be a binary subdivision search or a hash for * matching the chunk name rather than a linear search. */ @@@@ -673,10 +670,7 @@@@ png_crc_finish(png_ptr, 0); png_read_data(png_ptr, chunk_length, 4); - png_ptr->idat_size = png_get_uint_32(chunk_length); - - if (png_ptr->idat_size > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); + png_ptr->idat_size = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); @@@@ -946,15 +940,12 @@@@ #endif /* PNG_GLOBAL_ARRAYS */ png_read_data(png_ptr, chunk_length, 4); - length = png_get_uint_32(chunk_length); + length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_debug1(0, "Reading %s chunk.\n", png_ptr->chunk_name); - - if (length > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); if (!png_memcmp(png_ptr->chunk_name, png_IHDR, 4)) png_handle_IHDR(png_ptr, info_ptr, length); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch07-png-read-png-overflow.txt Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't implement png_read_png(). Requires libpng-patch04-* diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5patch07/pngread.c --- libs/png/pngread.c.orig Thu Oct 3 06:32:29 2002 +++ libs/png/pngread.c Fri Jul 23 19:01:39 2004 @@@@ -1299,6 +1299,9 @@@@ */ png_read_info(png_ptr, info_ptr); + if (info_ptr->height > PNG_UINT_32_MAX/sizeof(png_bytep)) + png_error(png_ptr,"Image is too high to process with png_read_png()"); + /* -------------- image transformations start here ------------------- */ #if defined(PNG_READ_16_TO_8_SUPPORTED) http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch08-splt-buffer-overflow.txt Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't implement png_read_png(). Requires libpng-patch04-* The "sPLT chunk too long" check from Matthias Clasen (RedHat libpng package maintainer) diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch08/pngrutil.c --- libs/png/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ libs/png/pngrutil.c Fri Jul 23 19:02:48 2004 @@@@ -1154,8 +1154,18 @@@@ } new_palette.nentries = data_length / entry_size; - new_palette.entries = (png_sPLT_entryp)png_malloc( + if (new_palette.nentries > PNG_SIZE_MAX / sizeof(png_sPLT_entry)) + { + png_warning(png_ptr, "sPLT chunk too long"); + return; + } + new_palette.entries = (png_sPLT_entryp)png_malloc_warn( png_ptr, new_palette.nentries * sizeof(png_sPLT_entry)); + if (new_palette.entries == NULL) + { + png_warning(png_ptr, "sPLT chunk requires too much memory"); + return; + } #ifndef PNG_NO_POINTER_INDEXING for (i = 0; i < new_palette.nentries; i++) http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch09-null-iccp-profile.txt Use to patch libpng-1.0.9 through 1.2.5. Does not work with libpng-1.0.6-1.0.8. Libpng-1.0.5 and earlier didn't implement iCCP chunk reading. diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch09/pngrutil.c --- libs/png/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ libs/png/pngrutil.c Fri Jul 23 19:04:28 2004 @@@@ -977,8 +977,7 @@@@ png_bytep pC; png_charp profile; png_uint_32 skip = 0; - png_uint_32 profile_size = 0; - png_uint_32 profile_length = 0; + png_uint_32 profile_size, profile_length; png_size_t slength, prefix_length, data_length; png_debug(1, "in png_handle_iCCP\n"); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch10-find-duplicate-chunk.txt Use to patch libpng-1.0.6 through 1.2.5 Does not work with libpng-1.0.5 and earlier. No security problem. The bugs are similar to the one fixed in patch 03, but the only effect is that libpng will fail to detect misplaced harmless duplicate chunks. diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch10/pngrutil.c --- libs/png/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ libs/png/pngrutil.c Fri Jul 23 19:05:40 2004 @@@@ -579,7 +579,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place gAMA chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) #if defined(PNG_READ_sRGB_SUPPORTED) && !(info_ptr->valid & PNG_INFO_sRGB) #endif @@@@ -660,7 +660,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place sBIT chunk"); } - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) { png_warning(png_ptr, "Duplicate sBIT chunk"); png_crc_finish(png_ptr, length); @@@@ -729,7 +729,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Missing PLTE before cHRM"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) #if defined(PNG_READ_sRGB_SUPPORTED) && !(info_ptr->valid & PNG_INFO_sRGB) #endif @@@@ -891,7 +891,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place sRGB chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) { png_warning(png_ptr, "Duplicate sRGB chunk"); png_crc_finish(png_ptr, length); @@@@ -995,7 +995,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place iCCP chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) { png_warning(png_ptr, "Duplicate iCCP chunk"); png_crc_finish(png_ptr, length); This patch from Chris Evans avoids a host of security problems related to buffer overflows that might occur when processing very large images. It causes the reader to reject any images claiming to have more rows or columns the png format supports. diff -ru libpng-1.2.5/png.h libpng-1.2.5.fix/png.h --- libs/png/png.h.orig 2002-10-03 12:32:26.000000000 +0100 +++ libs/png/png.h 2004-07-13 23:18:10.000000000 +0100 @@@@ -835,6 +835,9 @@@@ /* Maximum positive integer used in PNG is (2^31)-1 */ #define PNG_MAX_UINT ((png_uint_32)0x7fffffffL) +/* Constraints on width, height, (2 ^ 24) - 1*/ +#define PNG_MAX_DIMENSION 16777215 + /* These describe the color_type field in png_info. */ /* color type masks */ #define PNG_COLOR_MASK_PALETTE 1 diff -ru libpng-1.2.5/pngrutil.c libpng-1.2.5.fix/pngrutil.c --- libs/png/pngrutil.c.orig 2004-07-13 13:36:37.000000000 +0100 +++ libs/png/pngrutil.c 2004-07-13 23:43:02.000000000 +0100 @@@@ -350,7 +350,11 @@@@ png_crc_finish(png_ptr, 0); width = png_get_uint_32(buf); + if (width > PNG_MAX_DIMENSION) + png_error(png_ptr, "Width is too large"); height = png_get_uint_32(buf + 4); + if (height > PNG_MAX_DIMENSION) + png_error(png_ptr, "Height is too large"); bit_depth = buf[8]; color_type = buf[9]; compression_type = buf[10]; @@@@ -675,7 +679,7 @@@@ else truelen = (png_size_t)png_ptr->channels; - if (length != truelen) + if (length != truelen || length > 4) { png_warning(png_ptr, "Incorrect sBIT chunk length"); png_crc_finish(png_ptr, length); @@@@ -1400,7 +1405,7 @@@@ void /* PRIVATE */ png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { - int num, i; + unsigned int num, i; png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH]; png_debug(1, "in png_handle_hIST\n"); @@@@ -1426,8 +1431,8 @@@@ return; } - num = (int)length / 2 ; - if (num != png_ptr->num_palette) + num = length / 2 ; + if (num != png_ptr->num_palette || num > PNG_MAX_PALETTE_LENGTH) { png_warning(png_ptr, "Incorrect hIST chunk length"); png_crc_finish(png_ptr, length); @@@@ -2868,6 +2873,9 @@@@ png_read_data(png_ptr, chunk_length, 4); png_ptr->idat_size = png_get_uint_32(chunk_length); + if (png_ptr->idat_size > PNG_MAX_UINT) + png_error(png_ptr, "Invalid chunk length."); + png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); if (png_memcmp(png_ptr->chunk_name, (png_bytep)png_IDAT, 4)) @ 1.3 log @added Security Fix (CAN-2002-1363) for png @ text @d83 336 @ 1.3.2.1 log @SA-2004.035-png; CAN-2004-0597, CAN-2004-0598, CAN-2004-0599 @ text @a82 336 http://www.graphicsmagick.org/libpng/beta/patches/INFO.txt > [Problems discovered and fixed by] Chris Evans > > 1) Remotely exploitable stack-based buffer overrun in png_handle_tRNS (pngrutil.c) > 2) Dangerous code in png_handle_sBIT (pngrutil.c) CAN-2004-0597 > 3) Possible NULL-pointer crash in png_handle_iCCP (pngrutil.c) > this flaw is duplicated in multiple other locations. CAN-2004-0598 > 4) Theoretical integer overflow in allocation in png_handle_sPLT (pngrutil.c) > 5) Integer overflow in png_read_png (pngread.c) > 6) Integer overflows during progressive reading. > 7) Other flaws. [integer overflows] CAN-2004-0599 http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch03-trns-chunk-overflow.txt Use to patch libpng-1.0.9 through 1.2.5 This fixes the most dangerous of the newly reported vulnerabilities diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch03/pngrutil.c --- libs/png/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ libs/png/pngrutil.c Fri Jul 23 18:54:36 2004 @@@@ -1241,7 +1241,8 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Missing PLTE before tRNS"); } - else if (length > (png_uint_32)png_ptr->num_palette) + if (length > (png_uint_32)png_ptr->num_palette || + length > PNG_MAX_PALETTE_LENGTH) { png_warning(png_ptr, "Incorrect tRNS chunk length"); png_crc_finish(png_ptr, length); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch04-get-uint-31.txt Use to patch libpng-1.0.6 through 1.2.5 This patch defines PNG_UINT_31_MAX, PNG_UINT_32_MAX, PNG_SIZE_MAX, and png_get_uint_31(), which are needed by patches 05-08. diff -r -U 3 libpng-1.2.5/png.h libpng-1.2.5patch04/png.h --- libs/png/png.h.orig Thu Oct 3 06:32:26 2002 +++ libs/png/png.h Fri Jul 23 18:56:27 2004 @@@@ -833,7 +833,11 @@@@ typedef png_info FAR * FAR * png_infopp; /* Maximum positive integer used in PNG is (2^31)-1 */ -#define PNG_MAX_UINT ((png_uint_32)0x7fffffffL) +#define PNG_UINT_31_MAX ((png_uint_32)0x7fffffffL) +#define PNG_UINT_32_MAX (~((png_uint_32)0)) +#define PNG_SIZE_MAX (~((png_size_t)0)) +/* PNG_MAX_UINT is deprecated; use PNG_UINT_31_MAX instead. */ +#define PNG_MAX_UINT PNG_UINT_31_MAX /* These describe the color_type field in png_info. */ /* color type masks */ @@@@ -2655,6 +2659,8 @@@@ PNG_EXTERN png_uint_32 png_get_uint_32 PNGARG((png_bytep buf)); PNG_EXTERN png_uint_16 png_get_uint_16 PNGARG((png_bytep buf)); #endif /* !PNG_READ_BIG_ENDIAN_SUPPORTED */ +PNG_EXTERN png_uint_32 png_get_uint_31 PNGARG((png_structp png_ptr, + png_bytep buf)); /* Initialize png_ptr struct for reading, and allocate any other memory. * (old interface - DEPRECATED - use png_create_read_struct instead). diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch04/pngrutil.c --- libs/png/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ libs/png/pngrutil.c Fri Jul 23 18:56:27 2004 @@@@ -38,6 +38,14 @@@@ # endif #endif +png_uint_32 /* PRIVATE */ +png_get_uint_31(png_structp png_ptr, png_bytep buf) +{ + png_uint_32 i = png_get_uint_32(buf); + if (i > PNG_UINT_31_MAX) + png_error(png_ptr, "PNG unsigned integer out of range.\n"); + return (i); +} #ifndef PNG_READ_BIG_ENDIAN_SUPPORTED /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */ png_uint_32 /* PRIVATE */ http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch06-pngread-chunklength.txt Use to patch libpng-1.0.13 through 1.0.15 and 1.2.2 through 1.2.5. Requires libpng-patch04-* diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5patch06/pngread.c --- libs/png/pngread.c.orig Thu Oct 3 06:32:29 2002 +++ libs/png/pngread.c Fri Jul 23 18:59:57 2004 @@@@ -384,7 +384,7 @@@@ png_uint_32 length; png_read_data(png_ptr, chunk_length, 4); - length = png_get_uint_32(chunk_length); + length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); @@@@ -392,9 +392,6 @@@@ png_debug2(0, "Reading %s chunk, length=%lu.\n", png_ptr->chunk_name, length); - if (length > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); - /* This should be a binary subdivision search or a hash for * matching the chunk name rather than a linear search. */ @@@@ -673,10 +670,7 @@@@ png_crc_finish(png_ptr, 0); png_read_data(png_ptr, chunk_length, 4); - png_ptr->idat_size = png_get_uint_32(chunk_length); - - if (png_ptr->idat_size > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); + png_ptr->idat_size = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); @@@@ -946,15 +940,12 @@@@ #endif /* PNG_GLOBAL_ARRAYS */ png_read_data(png_ptr, chunk_length, 4); - length = png_get_uint_32(chunk_length); + length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_debug1(0, "Reading %s chunk.\n", png_ptr->chunk_name); - - if (length > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); if (!png_memcmp(png_ptr->chunk_name, png_IHDR, 4)) png_handle_IHDR(png_ptr, info_ptr, length); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch07-png-read-png-overflow.txt Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't implement png_read_png(). Requires libpng-patch04-* diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5patch07/pngread.c --- libs/png/pngread.c.orig Thu Oct 3 06:32:29 2002 +++ libs/png/pngread.c Fri Jul 23 19:01:39 2004 @@@@ -1299,6 +1299,9 @@@@ */ png_read_info(png_ptr, info_ptr); + if (info_ptr->height > PNG_UINT_32_MAX/sizeof(png_bytep)) + png_error(png_ptr,"Image is too high to process with png_read_png()"); + /* -------------- image transformations start here ------------------- */ #if defined(PNG_READ_16_TO_8_SUPPORTED) http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch08-splt-buffer-overflow.txt Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't implement png_read_png(). Requires libpng-patch04-* The "sPLT chunk too long" check from Matthias Clasen (RedHat libpng package maintainer) diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch08/pngrutil.c --- libs/png/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ libs/png/pngrutil.c Fri Jul 23 19:02:48 2004 @@@@ -1154,8 +1154,18 @@@@ } new_palette.nentries = data_length / entry_size; - new_palette.entries = (png_sPLT_entryp)png_malloc( + if (new_palette.nentries > PNG_SIZE_MAX / sizeof(png_sPLT_entry)) + { + png_warning(png_ptr, "sPLT chunk too long"); + return; + } + new_palette.entries = (png_sPLT_entryp)png_malloc_warn( png_ptr, new_palette.nentries * sizeof(png_sPLT_entry)); + if (new_palette.entries == NULL) + { + png_warning(png_ptr, "sPLT chunk requires too much memory"); + return; + } #ifndef PNG_NO_POINTER_INDEXING for (i = 0; i < new_palette.nentries; i++) http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch09-null-iccp-profile.txt Use to patch libpng-1.0.9 through 1.2.5. Does not work with libpng-1.0.6-1.0.8. Libpng-1.0.5 and earlier didn't implement iCCP chunk reading. diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch09/pngrutil.c --- libs/png/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ libs/png/pngrutil.c Fri Jul 23 19:04:28 2004 @@@@ -977,8 +977,7 @@@@ png_bytep pC; png_charp profile; png_uint_32 skip = 0; - png_uint_32 profile_size = 0; - png_uint_32 profile_length = 0; + png_uint_32 profile_size, profile_length; png_size_t slength, prefix_length, data_length; png_debug(1, "in png_handle_iCCP\n"); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch10-find-duplicate-chunk.txt Use to patch libpng-1.0.6 through 1.2.5 Does not work with libpng-1.0.5 and earlier. No security problem. The bugs are similar to the one fixed in patch 03, but the only effect is that libpng will fail to detect misplaced harmless duplicate chunks. diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch10/pngrutil.c --- libs/png/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ libs/png/pngrutil.c Fri Jul 23 19:05:40 2004 @@@@ -579,7 +579,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place gAMA chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) #if defined(PNG_READ_sRGB_SUPPORTED) && !(info_ptr->valid & PNG_INFO_sRGB) #endif @@@@ -660,7 +660,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place sBIT chunk"); } - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) { png_warning(png_ptr, "Duplicate sBIT chunk"); png_crc_finish(png_ptr, length); @@@@ -729,7 +729,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Missing PLTE before cHRM"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) #if defined(PNG_READ_sRGB_SUPPORTED) && !(info_ptr->valid & PNG_INFO_sRGB) #endif @@@@ -891,7 +891,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place sRGB chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) { png_warning(png_ptr, "Duplicate sRGB chunk"); png_crc_finish(png_ptr, length); @@@@ -995,7 +995,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place iCCP chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) { png_warning(png_ptr, "Duplicate iCCP chunk"); png_crc_finish(png_ptr, length); This patch from Chris Evans avoids a host of security problems related to buffer overflows that might occur when processing very large images. It causes the reader to reject any images claiming to have more rows or columns the png format supports. diff -ru libpng-1.2.5/png.h libpng-1.2.5.fix/png.h --- libs/png/png.h.orig 2002-10-03 12:32:26.000000000 +0100 +++ libs/png/png.h 2004-07-13 23:18:10.000000000 +0100 @@@@ -835,6 +835,9 @@@@ /* Maximum positive integer used in PNG is (2^31)-1 */ #define PNG_MAX_UINT ((png_uint_32)0x7fffffffL) +/* Constraints on width, height, (2 ^ 24) - 1*/ +#define PNG_MAX_DIMENSION 16777215 + /* These describe the color_type field in png_info. */ /* color type masks */ #define PNG_COLOR_MASK_PALETTE 1 diff -ru libpng-1.2.5/pngrutil.c libpng-1.2.5.fix/pngrutil.c --- libs/png/pngrutil.c.orig 2004-07-13 13:36:37.000000000 +0100 +++ libs/png/pngrutil.c 2004-07-13 23:43:02.000000000 +0100 @@@@ -350,7 +350,11 @@@@ png_crc_finish(png_ptr, 0); width = png_get_uint_32(buf); + if (width > PNG_MAX_DIMENSION) + png_error(png_ptr, "Width is too large"); height = png_get_uint_32(buf + 4); + if (height > PNG_MAX_DIMENSION) + png_error(png_ptr, "Height is too large"); bit_depth = buf[8]; color_type = buf[9]; compression_type = buf[10]; @@@@ -675,7 +679,7 @@@@ else truelen = (png_size_t)png_ptr->channels; - if (length != truelen) + if (length != truelen || length > 4) { png_warning(png_ptr, "Incorrect sBIT chunk length"); png_crc_finish(png_ptr, length); @@@@ -1400,7 +1405,7 @@@@ void /* PRIVATE */ png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { - int num, i; + unsigned int num, i; png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH]; png_debug(1, "in png_handle_hIST\n"); @@@@ -1426,8 +1431,8 @@@@ return; } - num = (int)length / 2 ; - if (num != png_ptr->num_palette) + num = length / 2 ; + if (num != png_ptr->num_palette || num > PNG_MAX_PALETTE_LENGTH) { png_warning(png_ptr, "Incorrect hIST chunk length"); png_crc_finish(png_ptr, length); @@@@ -2868,6 +2873,9 @@@@ png_read_data(png_ptr, chunk_length, 4); png_ptr->idat_size = png_get_uint_32(chunk_length); + if (png_ptr->idat_size > PNG_MAX_UINT) + png_error(png_ptr, "Invalid chunk length."); + png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); if (png_memcmp(png_ptr->chunk_name, (png_bytep)png_IDAT, 4)) @ 1.2 log @SA-2004.017-png @ text @a13 25 --- libs/png/pngrtran.c.orig Wed Oct 2 20:20:24 2002 +++ libs/png/pngrtran.c Wed Jan 15 11:30:23 2003 @@@@ -1965,8 +1965,8 @@@@ /* This changes the data from RRGGBB to RRGGBBXX */ if (flags & PNG_FLAG_FILLER_AFTER) { - png_bytep sp = row + (png_size_t)row_width * 3; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 6; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 1; i < row_width; i++) { *(--dp) = hi_filler; @@@@ -1987,8 +1987,8 @@@@ /* This changes the data from RRGGBB to XXRRGGBB */ else { - png_bytep sp = row + (png_size_t)row_width * 3; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 6; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 0; i < row_width; i++) { *(--dp) = *(--sp); d36 47 @ 1.2.2.1 log @SA-2004.017-png @ text @d1 13 @ 1.2.2.2 log @SA-2004.030; CAN-2002-1363 @ text @d1 3 a3 45 Index: libs/png/pngerror.c --- libs/png/pngerror.c.orig 2003-05-28 14:31:31 +0200 +++ libs/png/pngerror.c 2004-07-05 16:26:05 +0200 @@@@ -136,10 +136,13 @@@@ buffer[iout] = 0; else { + png_size_t len; + if ((len = png_strlen(error_message)) > 63) + len = 63; buffer[iout++] = ':'; buffer[iout++] = ' '; - png_memcpy(buffer+iout, error_message, 64); - buffer[iout+63] = 0; + png_memcpy(buffer+iout, error_message, len); + buffer[iout+len] = 0; } } Index: libs/png/pngrtran.c --- libs/png/pngrtran.c.orig 2003-05-28 14:31:32 +0200 +++ libs/png/pngrtran.c 2004-07-05 16:26:05 +0200 @@@@ -1890,8 +1890,8 @@@@ /* This changes the data from GG to GGXX */ if (flags & PNG_FLAG_FILLER_AFTER) { - png_bytep sp = row + (png_size_t)row_width; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 2; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 1; i < row_width; i++) { *(--dp) = hi_filler; @@@@ -1908,8 +1908,8 @@@@ /* This changes the data from GG to XXGG */ else { - png_bytep sp = row + (png_size_t)row_width; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 2; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 0; i < row_width; i++) { *(--dp) = *(--sp); @@@@ -1966,8 +1966,8 @@@@ d14 1 a14 1 @@@@ -1988,8 +1988,8 @@@@ d25 23 @ 1.1 log @fix installation procedure @ text @d13 48 @ 1.1.2.1 log @SA-2004.017-png @ text @a12 48 --- libs/png/pngrtran.c.orig Wed Oct 2 20:20:24 2002 +++ libs/png/pngrtran.c Wed Jan 15 11:30:23 2003 @@@@ -1965,8 +1965,8 @@@@ /* This changes the data from RRGGBB to RRGGBBXX */ if (flags & PNG_FLAG_FILLER_AFTER) { - png_bytep sp = row + (png_size_t)row_width * 3; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 6; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 1; i < row_width; i++) { *(--dp) = hi_filler; @@@@ -1987,8 +1987,8 @@@@ /* This changes the data from RRGGBB to XXRRGGBB */ else { - png_bytep sp = row + (png_size_t)row_width * 3; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 6; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 0; i < row_width; i++) { *(--dp) = *(--sp); Steve G Libpng accesses memory that is out of bounds when creating an error message Index: pngerror.c --- libs/png/pngerror.c.orig 2002-10-03 13:32:27.000000000 +0200 +++ libs/png/pngerror.c 2004-04-28 13:24:22.000000000 +0200 @@@@ -135,10 +135,13 @@@@ buffer[iout] = 0; else { + png_size_t len; + if ((len = png_strlen(error_message)) > 63) + len = 63; buffer[iout++] = ':'; buffer[iout++] = ' '; - png_memcpy(buffer+iout, error_message, 64); - buffer[iout+63] = 0; + png_memcpy(buffer+iout, error_message, len); + buffer[iout+len] = 0; } } @ 1.1.2.2 log @SA-2004.030; CAN-2002-1363 @ text @d14 3 a16 45 Index: libs/png/pngerror.c --- libs/png/pngerror.c.orig 2004-01-26 14:30:33 +0100 +++ libs/png/pngerror.c 2004-07-05 14:26:02 +0200 @@@@ -136,10 +136,13 @@@@ buffer[iout] = 0; else { + png_size_t len; + if ((len = png_strlen(error_message)) > 63) + len = 63; buffer[iout++] = ':'; buffer[iout++] = ' '; - png_memcpy(buffer+iout, error_message, 64); - buffer[iout+63] = 0; + png_memcpy(buffer+iout, error_message, len); + buffer[iout+len] = 0; } } Index: libs/png/pngrtran.c --- libs/png/pngrtran.c.orig 2004-01-26 14:30:33 +0100 +++ libs/png/pngrtran.c 2004-07-05 14:26:02 +0200 @@@@ -1890,8 +1890,8 @@@@ /* This changes the data from GG to GGXX */ if (flags & PNG_FLAG_FILLER_AFTER) { - png_bytep sp = row + (png_size_t)row_width; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 2; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 1; i < row_width; i++) { *(--dp) = hi_filler; @@@@ -1908,8 +1908,8 @@@@ /* This changes the data from GG to XXGG */ else { - png_bytep sp = row + (png_size_t)row_width; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 2; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 0; i < row_width; i++) { *(--dp) = *(--sp); @@@@ -1966,8 +1966,8 @@@@ d27 1 a27 1 @@@@ -1988,8 +1988,8 @@@@ d38 23 @ 1.1.2.3 log @SA-2004.035-png; CAN-2004-0597, CAN-2004-0598, CAN-2004-0599 @ text @a79 336 http://www.graphicsmagick.org/libpng/beta/patches/INFO.txt > [Problems discovered and fixed by] Chris Evans > > 1) Remotely exploitable stack-based buffer overrun in png_handle_tRNS (pngrutil.c) > 2) Dangerous code in png_handle_sBIT (pngrutil.c) CAN-2004-0597 > 3) Possible NULL-pointer crash in png_handle_iCCP (pngrutil.c) > this flaw is duplicated in multiple other locations. CAN-2004-0598 > 4) Theoretical integer overflow in allocation in png_handle_sPLT (pngrutil.c) > 5) Integer overflow in png_read_png (pngread.c) > 6) Integer overflows during progressive reading. > 7) Other flaws. [integer overflows] CAN-2004-0599 http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch03-trns-chunk-overflow.txt Use to patch libpng-1.0.9 through 1.2.5 This fixes the most dangerous of the newly reported vulnerabilities diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch03/pngrutil.c --- libs/png/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ libs/png/pngrutil.c Fri Jul 23 18:54:36 2004 @@@@ -1241,7 +1241,8 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Missing PLTE before tRNS"); } - else if (length > (png_uint_32)png_ptr->num_palette) + if (length > (png_uint_32)png_ptr->num_palette || + length > PNG_MAX_PALETTE_LENGTH) { png_warning(png_ptr, "Incorrect tRNS chunk length"); png_crc_finish(png_ptr, length); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch04-get-uint-31.txt Use to patch libpng-1.0.6 through 1.2.5 This patch defines PNG_UINT_31_MAX, PNG_UINT_32_MAX, PNG_SIZE_MAX, and png_get_uint_31(), which are needed by patches 05-08. diff -r -U 3 libpng-1.2.5/png.h libpng-1.2.5patch04/png.h --- libs/png/png.h.orig Thu Oct 3 06:32:26 2002 +++ libs/png/png.h Fri Jul 23 18:56:27 2004 @@@@ -833,7 +833,11 @@@@ typedef png_info FAR * FAR * png_infopp; /* Maximum positive integer used in PNG is (2^31)-1 */ -#define PNG_MAX_UINT ((png_uint_32)0x7fffffffL) +#define PNG_UINT_31_MAX ((png_uint_32)0x7fffffffL) +#define PNG_UINT_32_MAX (~((png_uint_32)0)) +#define PNG_SIZE_MAX (~((png_size_t)0)) +/* PNG_MAX_UINT is deprecated; use PNG_UINT_31_MAX instead. */ +#define PNG_MAX_UINT PNG_UINT_31_MAX /* These describe the color_type field in png_info. */ /* color type masks */ @@@@ -2655,6 +2659,8 @@@@ PNG_EXTERN png_uint_32 png_get_uint_32 PNGARG((png_bytep buf)); PNG_EXTERN png_uint_16 png_get_uint_16 PNGARG((png_bytep buf)); #endif /* !PNG_READ_BIG_ENDIAN_SUPPORTED */ +PNG_EXTERN png_uint_32 png_get_uint_31 PNGARG((png_structp png_ptr, + png_bytep buf)); /* Initialize png_ptr struct for reading, and allocate any other memory. * (old interface - DEPRECATED - use png_create_read_struct instead). diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch04/pngrutil.c --- libs/png/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ libs/png/pngrutil.c Fri Jul 23 18:56:27 2004 @@@@ -38,6 +38,14 @@@@ # endif #endif +png_uint_32 /* PRIVATE */ +png_get_uint_31(png_structp png_ptr, png_bytep buf) +{ + png_uint_32 i = png_get_uint_32(buf); + if (i > PNG_UINT_31_MAX) + png_error(png_ptr, "PNG unsigned integer out of range.\n"); + return (i); +} #ifndef PNG_READ_BIG_ENDIAN_SUPPORTED /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */ png_uint_32 /* PRIVATE */ http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch06-pngread-chunklength.txt Use to patch libpng-1.0.13 through 1.0.15 and 1.2.2 through 1.2.5. Requires libpng-patch04-* diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5patch06/pngread.c --- libs/png/pngread.c.orig Thu Oct 3 06:32:29 2002 +++ libs/png/pngread.c Fri Jul 23 18:59:57 2004 @@@@ -384,7 +384,7 @@@@ png_uint_32 length; png_read_data(png_ptr, chunk_length, 4); - length = png_get_uint_32(chunk_length); + length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); @@@@ -392,9 +392,6 @@@@ png_debug2(0, "Reading %s chunk, length=%lu.\n", png_ptr->chunk_name, length); - if (length > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); - /* This should be a binary subdivision search or a hash for * matching the chunk name rather than a linear search. */ @@@@ -673,10 +670,7 @@@@ png_crc_finish(png_ptr, 0); png_read_data(png_ptr, chunk_length, 4); - png_ptr->idat_size = png_get_uint_32(chunk_length); - - if (png_ptr->idat_size > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); + png_ptr->idat_size = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); @@@@ -946,15 +940,12 @@@@ #endif /* PNG_GLOBAL_ARRAYS */ png_read_data(png_ptr, chunk_length, 4); - length = png_get_uint_32(chunk_length); + length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_debug1(0, "Reading %s chunk.\n", png_ptr->chunk_name); - - if (length > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); if (!png_memcmp(png_ptr->chunk_name, png_IHDR, 4)) png_handle_IHDR(png_ptr, info_ptr, length); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch07-png-read-png-overflow.txt Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't implement png_read_png(). Requires libpng-patch04-* diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5patch07/pngread.c --- libs/png/pngread.c.orig Thu Oct 3 06:32:29 2002 +++ libs/png/pngread.c Fri Jul 23 19:01:39 2004 @@@@ -1299,6 +1299,9 @@@@ */ png_read_info(png_ptr, info_ptr); + if (info_ptr->height > PNG_UINT_32_MAX/sizeof(png_bytep)) + png_error(png_ptr,"Image is too high to process with png_read_png()"); + /* -------------- image transformations start here ------------------- */ #if defined(PNG_READ_16_TO_8_SUPPORTED) http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch08-splt-buffer-overflow.txt Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't implement png_read_png(). Requires libpng-patch04-* The "sPLT chunk too long" check from Matthias Clasen (RedHat libpng package maintainer) diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch08/pngrutil.c --- libs/png/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ libs/png/pngrutil.c Fri Jul 23 19:02:48 2004 @@@@ -1154,8 +1154,18 @@@@ } new_palette.nentries = data_length / entry_size; - new_palette.entries = (png_sPLT_entryp)png_malloc( + if (new_palette.nentries > PNG_SIZE_MAX / sizeof(png_sPLT_entry)) + { + png_warning(png_ptr, "sPLT chunk too long"); + return; + } + new_palette.entries = (png_sPLT_entryp)png_malloc_warn( png_ptr, new_palette.nentries * sizeof(png_sPLT_entry)); + if (new_palette.entries == NULL) + { + png_warning(png_ptr, "sPLT chunk requires too much memory"); + return; + } #ifndef PNG_NO_POINTER_INDEXING for (i = 0; i < new_palette.nentries; i++) http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch09-null-iccp-profile.txt Use to patch libpng-1.0.9 through 1.2.5. Does not work with libpng-1.0.6-1.0.8. Libpng-1.0.5 and earlier didn't implement iCCP chunk reading. diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch09/pngrutil.c --- libs/png/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ libs/png/pngrutil.c Fri Jul 23 19:04:28 2004 @@@@ -977,8 +977,7 @@@@ png_bytep pC; png_charp profile; png_uint_32 skip = 0; - png_uint_32 profile_size = 0; - png_uint_32 profile_length = 0; + png_uint_32 profile_size, profile_length; png_size_t slength, prefix_length, data_length; png_debug(1, "in png_handle_iCCP\n"); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch10-find-duplicate-chunk.txt Use to patch libpng-1.0.6 through 1.2.5 Does not work with libpng-1.0.5 and earlier. No security problem. The bugs are similar to the one fixed in patch 03, but the only effect is that libpng will fail to detect misplaced harmless duplicate chunks. diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch10/pngrutil.c --- libs/png/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ libs/png/pngrutil.c Fri Jul 23 19:05:40 2004 @@@@ -579,7 +579,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place gAMA chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) #if defined(PNG_READ_sRGB_SUPPORTED) && !(info_ptr->valid & PNG_INFO_sRGB) #endif @@@@ -660,7 +660,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place sBIT chunk"); } - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) { png_warning(png_ptr, "Duplicate sBIT chunk"); png_crc_finish(png_ptr, length); @@@@ -729,7 +729,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Missing PLTE before cHRM"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) #if defined(PNG_READ_sRGB_SUPPORTED) && !(info_ptr->valid & PNG_INFO_sRGB) #endif @@@@ -891,7 +891,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place sRGB chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) { png_warning(png_ptr, "Duplicate sRGB chunk"); png_crc_finish(png_ptr, length); @@@@ -995,7 +995,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place iCCP chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) { png_warning(png_ptr, "Duplicate iCCP chunk"); png_crc_finish(png_ptr, length); This patch from Chris Evans avoids a host of security problems related to buffer overflows that might occur when processing very large images. It causes the reader to reject any images claiming to have more rows or columns the png format supports. diff -ru libpng-1.2.5/png.h libpng-1.2.5.fix/png.h --- libs/png/png.h.orig 2002-10-03 12:32:26.000000000 +0100 +++ libs/png/png.h 2004-07-13 23:18:10.000000000 +0100 @@@@ -835,6 +835,9 @@@@ /* Maximum positive integer used in PNG is (2^31)-1 */ #define PNG_MAX_UINT ((png_uint_32)0x7fffffffL) +/* Constraints on width, height, (2 ^ 24) - 1*/ +#define PNG_MAX_DIMENSION 16777215 + /* These describe the color_type field in png_info. */ /* color type masks */ #define PNG_COLOR_MASK_PALETTE 1 diff -ru libpng-1.2.5/pngrutil.c libpng-1.2.5.fix/pngrutil.c --- libs/png/pngrutil.c.orig 2004-07-13 13:36:37.000000000 +0100 +++ libs/png/pngrutil.c 2004-07-13 23:43:02.000000000 +0100 @@@@ -350,7 +350,11 @@@@ png_crc_finish(png_ptr, 0); width = png_get_uint_32(buf); + if (width > PNG_MAX_DIMENSION) + png_error(png_ptr, "Width is too large"); height = png_get_uint_32(buf + 4); + if (height > PNG_MAX_DIMENSION) + png_error(png_ptr, "Height is too large"); bit_depth = buf[8]; color_type = buf[9]; compression_type = buf[10]; @@@@ -675,7 +679,7 @@@@ else truelen = (png_size_t)png_ptr->channels; - if (length != truelen) + if (length != truelen || length > 4) { png_warning(png_ptr, "Incorrect sBIT chunk length"); png_crc_finish(png_ptr, length); @@@@ -1400,7 +1405,7 @@@@ void /* PRIVATE */ png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { - int num, i; + unsigned int num, i; png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH]; png_debug(1, "in png_handle_hIST\n"); @@@@ -1426,8 +1431,8 @@@@ return; } - num = (int)length / 2 ; - if (num != png_ptr->num_palette) + num = length / 2 ; + if (num != png_ptr->num_palette || num > PNG_MAX_PALETTE_LENGTH) { png_warning(png_ptr, "Incorrect hIST chunk length"); png_crc_finish(png_ptr, length); @@@@ -2868,6 +2873,9 @@@@ png_read_data(png_ptr, chunk_length, 4); png_ptr->idat_size = png_get_uint_32(chunk_length); + if (png_ptr->idat_size > PNG_MAX_UINT) + png_error(png_ptr, "Invalid chunk length."); + png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); if (png_memcmp(png_ptr->chunk_name, (png_bytep)png_IDAT, 4)) @