head 1.28; access; symbols OPENPKG_E1_MP_HEAD:1.8 OPENPKG_E1_MP:1.8 OPENPKG_E1_MP_2_STABLE:1.7 OPENPKG_E1_FP:1.7 OPENPKG_2_STABLE_MP:1.8 OPENPKG_2_STABLE_20061018:1.7 OPENPKG_2_STABLE_20060622:1.7 OPENPKG_2_STABLE:1.7.0.8 OPENPKG_2_STABLE_BP:1.7 OPENPKG_2_5_RELEASE:1.7 OPENPKG_2_5_SOLID:1.7.0.6 OPENPKG_2_5_SOLID_BP:1.7 OPENPKG_2_4_RELEASE:1.7 OPENPKG_2_4_SOLID:1.7.0.4 OPENPKG_2_4_SOLID_BP:1.7 OPENPKG_CW_FP:1.7 OPENPKG_2_3_RELEASE:1.7 OPENPKG_2_3_SOLID:1.7.0.2 OPENPKG_2_3_SOLID_BP:1.7 OPENPKG_2_2_RELEASE:1.6 OPENPKG_2_2_SOLID:1.6.0.2 OPENPKG_2_2_SOLID_BP:1.6 OPENPKG_2_1_RELEASE:1.4 OPENPKG_2_1_SOLID:1.4.0.2 OPENPKG_2_1_SOLID_BP:1.4 OPENPKG_2_0_RELEASE:1.1 OPENPKG_2_0_SOLID:1.1.0.12 OPENPKG_2_0_SOLID_BP:1.1 OPENPKG_1_3_RELEASE:1.1 OPENPKG_1_3_SOLID:1.1.0.10 OPENPKG_1_3_SOLID_BP:1.1 OPENPKG_1_STABLE_MP:1.1 OPENPKG_1_2_RELEASE:1.1 OPENPKG_1_2_SOLID:1.1.0.8 OPENPKG_1_2_SOLID_BP:1.1 OPENPKG_1_STABLE:1.1.0.6 OPENPKG_1_STABLE_BP:1.1 OPENPKG_1_1_SOLID:1.1.0.4 OPENPKG_1_0_SOLID:1.1.0.2; locks; strict; comment @# @; 1.28 date 2009.12.03.21.01.34; author rse; state Exp; branches; next 1.27; commitid fsIM8OUIyZljiYdu; 1.27 date 2009.09.10.18.36.57; author rse; state Exp; branches; next 1.26; commitid iP5sGsEITTr6ca3u; 1.26 date 2009.08.15.09.02.57; author rse; state Exp; branches; next 1.25; commitid JXEpsWZiDlH0RLZt; 1.25 date 2009.07.17.22.10.25; author rse; state Exp; branches; next 1.24; commitid yFkDM9XMer5X87Wt; 1.24 date 2009.06.04.20.57.22; author rse; state Exp; branches; next 1.23; commitid 8dSkU50IPEgA7AQt; 1.23 date 2009.05.08.08.27.33; author rse; state Exp; branches; next 1.22; commitid Is26SXeGrl4aQ2Nt; 1.22 date 2009.02.19.22.49.50; author rse; state Exp; branches; next 1.21; commitid XUwIz092Jnrq76Dt; 1.21 date 2008.12.18.21.50.28; author rse; state Exp; branches; next 1.20; commitid qA6gMSHtSuMBOZut; 1.20 date 2008.11.01.09.54.09; author rse; state Exp; branches; next 1.19; commitid jWRj4rcgBHhxmTot; 1.19 date 2008.09.18.18.52.54; author rse; state Exp; branches; next 1.18; commitid V0gBqu19Tl93Lhjt; 1.18 date 2008.08.21.18.21.22; author rse; state Exp; branches; next 1.17; commitid VDwVaeDHZGR1uGft; 1.17 date 2008.08.16.15.25.36; author rse; state Exp; branches; next 1.16; commitid 5wjvj6QL7gGHF1ft; 1.16 date 2008.05.08.17.27.33; author rse; state Exp; branches; next 1.15; commitid N9UAekvfjC9Pyb2t; 1.15 date 2008.05.01.07.36.27; author rse; state Exp; branches; next 1.14; commitid mcu7mvqLYQhZve1t; 1.14 date 2008.04.03.06.59.31; author rse; state Exp; branches; next 1.13; commitid zCONVrd9SWD7dDXs; 1.13 date 2008.02.19.18.39.48; author rse; state Exp; branches; next 1.12; commitid kW6SYuqTWjX2v2Ss; 1.12 date 2007.12.14.22.58.32; author rse; state Exp; branches; next 1.11; commitid wAJnHH8sE4Hk5sJs; 1.11 date 2007.11.09.18.37.16; author rse; state Exp; branches; next 1.10; commitid LzbQZyGW1OasLVEs; 1.10 date 2007.10.14.07.22.37; author rse; state Exp; branches; next 1.9; commitid d3zFbr70PAfPRwBs; 1.9 date 2007.10.13.12.45.07; author rse; state Exp; branches; next 1.8; commitid TNmRp9rYmKbsGqBs; 1.8 date 2006.11.12.11.19.48; author rse; state Exp; branches; next 1.7; commitid 2SP3gElf4UxOYmUr; 1.7 date 2005.02.16.20.44.15; author rse; state Exp; branches 1.7.6.1 1.7.8.1; next 1.6; 1.6 date 2004.08.16.18.20.11; author rse; state dead; branches; next 1.5; 1.5 date 2004.08.04.14.01.46; author thl; state Exp; branches; next 1.4; 1.4 date 2004.06.29.08.15.36; author rse; state Exp; branches 1.4.2.1; next 1.3; 1.3 date 2004.05.27.08.14.27; author tho; state Exp; branches; next 1.2; 1.2 date 2004.04.29.15.01.58; author thl; state Exp; branches; next 1.1; 1.1 date 2003.01.15.13.50.46; author rse; state Exp; branches 1.1.2.1 1.1.4.1 1.1.10.1 1.1.12.1; next ; 1.7.6.1 date 2006.06.28.07.50.55; author rse; state Exp; branches; next ; commitid P6CuEgDRwH0beKCr; 1.7.8.1 date 2006.11.16.21.59.14; author rse; state Exp; branches; next ; commitid BqX46xO4tYPcoWUr; 1.4.2.1 date 2004.08.04.14.02.55; author thl; state Exp; branches; next ; 1.1.2.1 date 2003.01.15.13.58.10; author rse; state Exp; branches; next ; 1.1.4.1 date 2003.01.15.14.00.34; author rse; state Exp; branches; next ; 1.1.10.1 date 2004.04.29.19.56.26; author thl; state Exp; branches; next 1.1.10.2; 1.1.10.2 date 2004.06.29.08.18.09; author rse; state Exp; branches; next ; 1.1.12.1 date 2004.04.29.16.17.52; author thl; state Exp; branches; next 1.1.12.2; 1.1.12.2 date 2004.06.29.08.17.02; author rse; state Exp; branches; next 1.1.12.3; 1.1.12.3 date 2004.08.04.14.05.35; author thl; state Exp; branches; next ; desc @@ 1.28 log @upgrading package: png 1.2.40 -> 1.2.41 @ text @Index: pngconf.h --- pngconf.h.orig 2009-05-07 18:05:28 +0200 +++ pngconf.h 2009-05-08 10:22:24 +0200 @@@@ -331,9 +331,9 @@@@ # ifdef _SETJMP_H /* If you encounter a compiler error here, see the explanation * near the end of INSTALL. - */ __pngconf.h__ in libpng already includes setjmp.h; __dont__ include it again.; + */ # endif # endif /* __linux__ */ # endif /* PNG_SKIP_SETJMP_CHECK */ Index: scripts/libpng.pc-configure.in --- scripts/libpng.pc-configure.in.orig 2008-05-29 19:39:19 +0200 +++ scripts/libpng.pc-configure.in 2009-05-08 10:21:50 +0200 @@@@ -6,6 +6,6 @@@@ Name: libpng Description: Loads and saves PNG files Version: @@PNGLIB_VERSION@@ -Libs: -L${libdir} -lpng@@PNGLIB_MAJOR@@@@PNGLIB_MINOR@@ -Libs.private: @@LIBS@@ +Libs: -L${libdir} -lpng +Libs.private: -lz @@LIBS@@ Cflags: -I${includedir} @@LIBPNG_NO_MMX@@ Index: scripts/libpng.pc.in --- scripts/libpng.pc.in.orig 2009-05-07 18:05:35 +0200 +++ scripts/libpng.pc.in 2009-05-08 10:21:50 +0200 @@@@ -6,5 +6,6 @@@@ Name: libpng Description: Loads and saves PNG files Version: 1.2.41 -Libs: -L${libdir} -lpng12 +Libs: -L${libdir} -lpng +Libs.private: -lz Cflags: -I${includedir} @ 1.27 log @upgrading package: png 1.2.39 -> 1.2.40 @ text @d33 1 a33 1 Version: 1.2.40 @ 1.26 log @upgrading package: png 1.2.38 -> 1.2.39 @ text @d33 1 a33 1 Version: 1.2.39 @ 1.25 log @upgrading package: png 1.2.37 -> 1.2.38 @ text @d33 1 a33 1 Version: 1.2.38 @ 1.24 log @upgrading package: png 1.2.36 -> 1.2.37 @ text @d33 1 a33 1 Version: 1.2.37 @ 1.23 log @upgrading package: png 1.2.35 -> 1.2.36 @ text @d33 1 a33 1 Version: 1.2.36 @ 1.22 log @upgrading package: png 1.2.34 -> 1.2.35 @ text @d2 13 a14 13 --- pngconf.h.orig 2008-08-15 16:14:42 +0200 +++ pngconf.h 2008-08-16 17:14:13 +0200 @@@@ -322,9 +322,9 @@@@ # ifdef _SETJMP_H /* If you encounter a compiler error here, see the explanation * near the end of INSTALL. - */ __pngconf.h__ already includes setjmp.h; __dont__ include it again.; + */ # endif # endif /* __linux__ */ d17 1 a17 1 +++ scripts/libpng.pc-configure.in 2008-08-16 17:15:23 +0200 d28 2 a29 2 --- scripts/libpng.pc.in.orig 2008-08-15 16:14:44 +0200 +++ scripts/libpng.pc.in 2008-08-16 17:14:13 +0200 d33 1 a33 1 Version: 1.2.35 @ 1.21 log @upgrading package: png 1.2.33 -> 1.2.34 @ text @d33 1 a33 1 Version: 1.2.34 @ 1.20 log @upgrading package: png 1.2.32 -> 1.2.33 @ text @d33 1 a33 1 Version: 1.2.33 @ 1.19 log @upgrading package: png 1.2.31 -> 1.2.32 @ text @d33 1 a33 1 Version: 1.2.32 @ 1.18 log @upgrading package: png 1.2.30 -> 1.2.31 @ text @d33 1 a33 1 Version: 1.2.31 @ 1.17 log @upgrading package: png 1.2.29 -> 1.2.30 @ text @d33 1 a33 1 Version: 1.2.30 @ 1.16 log @upgrading package: png 1.2.28 -> 1.2.29 @ text @d2 2 a3 2 --- pngconf.h.orig 2008-04-29 02:38:18 +0200 +++ pngconf.h 2008-04-29 08:12:44 +0200 d16 3 a18 3 --- scripts/libpng.pc-configure.in.orig 2008-04-29 02:38:24 +0200 +++ scripts/libpng.pc-configure.in 2008-04-29 08:12:44 +0200 @@@@ -6,5 +6,6 @@@@ d21 3 a23 2 Version: 1.2.29 -Libs: -L${libdir} -lpng12 d25 1 a25 1 +Libs.private: -lz d28 2 a29 2 --- scripts/libpng.pc.in.orig 2008-04-29 02:38:24 +0200 +++ scripts/libpng.pc.in 2008-04-29 08:12:44 +0200 d33 1 a33 1 Version: 1.2.29 @ 1.15 log @upgrading package: png 1.2.26 -> 1.2.28 @ text @a0 22 Index: Makefile.in --- Makefile.in.orig 2008-04-30 19:36:25 +0200 +++ Makefile.in 2008-05-01 09:33:24 +0200 @@@@ -165,6 +165,7 @@@@ DLLTOOL = @@DLLTOOL@@ DSYMUTIL = @@DSYMUTIL@@ DUMPBIN = @@DUMPBIN@@ +ECHO = echo ECHO_C = @@ECHO_C@@ ECHO_N = @@ECHO_N@@ ECHO_T = @@ECHO_T@@ Index: configure --- configure.orig 2008-04-29 02:38:47 +0200 +++ configure 2008-04-29 08:17:18 +0200 @@@@ -14405,6 +14405,7 @@@@ # An echo program that does not interpret backslashes. ECHO=$lt_ECHO +echo=$lt_ECHO # Used to examine libraries when file_magic_cmd begins with "file". MAGIC_CMD=$MAGIC_CMD d21 1 a21 1 Version: 1.2.28 d32 1 a32 1 Version: 1.2.28 @ 1.14 log @upgrading package: png 1.2.25 -> 1.2.26 @ text @d1 22 d24 2 a25 2 --- pngconf.h.orig 2007-12-14 17:22:25 +0100 +++ pngconf.h 2007-12-14 23:56:51 +0100 d38 2 a39 2 --- scripts/libpng.pc-configure.in.orig 2007-12-14 17:22:43 +0100 +++ scripts/libpng.pc-configure.in 2007-12-14 23:55:52 +0100 d43 1 a43 1 Version: 1.2.26 d49 2 a50 2 --- scripts/libpng.pc.in.orig 2007-12-14 17:22:43 +0100 +++ scripts/libpng.pc.in 2007-12-14 23:55:52 +0100 d54 1 a54 1 Version: 1.2.26 @ 1.13 log @upgrading package: png 1.2.24 -> 1.2.25 @ text @d21 1 a21 1 Version: 1.2.25 d32 1 a32 1 Version: 1.2.25 @ 1.12 log @upgrading package: png 1.2.23 -> 1.2.24 @ text @d21 1 a21 1 Version: 1.2.24 d32 1 a32 1 Version: 1.2.24 @ 1.11 log @upgrading package: png 1.2.22 -> 1.2.23 @ text @d2 3 a4 3 --- pngconf.h.orig 2007-09-08 05:22:56 +0200 +++ pngconf.h 2007-10-13 14:37:04 +0200 @@@@ -319,9 +319,9 @@@@ d9 1 a9 1 __png.h__ already includes setjmp.h; d16 2 a17 2 --- scripts/libpng.pc-configure.in.orig 2007-09-08 05:23:01 +0200 +++ scripts/libpng.pc-configure.in 2007-10-13 14:37:04 +0200 d21 1 a21 1 Version: 1.2.23 d27 2 a28 2 --- scripts/libpng.pc.in.orig 2007-09-08 05:23:01 +0200 +++ scripts/libpng.pc.in 2007-10-13 14:37:04 +0200 d32 1 a32 1 Version: 1.2.23 @ 1.10 log @upgrading package: png 1.2.21 -> 1.2.22 @ text @d21 1 a21 1 Version: 1.2.22 d32 1 a32 1 Version: 1.2.22 @ 1.9 log @cleanup pkg-config stuff @ text @d21 1 a21 1 Version: 1.2.21 d32 1 a32 1 Version: 1.2.21 @ 1.8 log @remember that for static linking png required zlib @ text @d2 3 a4 3 --- pngconf.h.orig 2006-06-27 22:22:34 +0200 +++ pngconf.h 2006-11-12 12:17:37 +0100 @@@@ -313,9 +313,9 @@@@ d15 11 d27 4 a30 3 --- scripts/libpng.pc.in.orig 2006-06-27 22:22:40 +0200 +++ scripts/libpng.pc.in 2006-11-12 12:18:12 +0100 @@@@ -7,4 +7,5 @@@@ d32 3 a34 2 Version: 1.2.12 Libs: -L${libdir} -lpng12 @ 1.7 log @do not teach packagers, please ;-). At least required to get PDFLib to build under Linux @ text @d2 3 a4 3 --- pngconf.h.orig 2004-12-03 01:14:24.000000000 +0100 +++ pngconf.h 2005-02-16 21:37:27.926893025 +0100 @@@@ -303,9 +303,9 @@@@ d15 9 @ 1.7.8.1 log @MFC: latest pkgconfig file fixes and update to the security fixes upstream version @ text @d2 3 a4 3 --- pngconf.h.orig 2006-06-27 22:22:34 +0200 +++ pngconf.h 2006-11-12 12:17:37 +0100 @@@@ -313,9 +313,9 @@@@ a14 9 Index: scripts/libpng.pc.in --- scripts/libpng.pc.in.orig 2006-06-27 22:22:40 +0200 +++ scripts/libpng.pc.in 2006-11-12 12:18:12 +0100 @@@@ -7,4 +7,5 @@@@ Description: Loads and saves PNG files Version: 1.2.12 Libs: -L${libdir} -lpng12 +Libs.private: -lz Cflags: -I${includedir} @ 1.7.6.1 log @Security Fix @ text @a14 12 Index: pngrutil.c --- pngrutil.c 2006-06-26 14:48:05 +0200 +++ pngrutil.c 2006-06-27 22:22:34 +0200 @@@@ -276,7 +276,7 @@@@ if (ret != Z_STREAM_END) { #if !defined(PNG_NO_STDIO) && !defined(_WIN32_WCE) - char umsg[50]; + char umsg[52]; if (ret == Z_BUF_ERROR) sprintf(umsg,"Buffer error in compressed datastream in %s chunk", @ 1.6 log @upgrading package: png 1.2.5 -> 1.2.6 @ text @d1 11 a11 80 Security Fix (CAN-2002-1363): Possible buffer overflows. Index: pngrtran.c --- pngrtran.c.orig 2002-10-03 13:32:29 +0200 +++ pngrtran.c 2004-06-29 10:06:10 +0200 @@@@ -1889,8 +1889,8 @@@@ /* This changes the data from GG to GGXX */ if (flags & PNG_FLAG_FILLER_AFTER) { - png_bytep sp = row + (png_size_t)row_width; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 2; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 1; i < row_width; i++) { *(--dp) = hi_filler; @@@@ -1907,8 +1907,8 @@@@ /* This changes the data from GG to XXGG */ else { - png_bytep sp = row + (png_size_t)row_width; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 2; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 0; i < row_width; i++) { *(--dp) = *(--sp); @@@@ -1965,8 +1965,8 @@@@ /* This changes the data from RRGGBB to RRGGBBXX */ if (flags & PNG_FLAG_FILLER_AFTER) { - png_bytep sp = row + (png_size_t)row_width * 3; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 6; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 1; i < row_width; i++) { *(--dp) = hi_filler; @@@@ -1987,8 +1987,8 @@@@ /* This changes the data from RRGGBB to XXRRGGBB */ else { - png_bytep sp = row + (png_size_t)row_width * 3; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 6; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 0; i < row_width; i++) { *(--dp) = *(--sp); ----------------------------------------------------------------------------- Security Fix (Steve G ): Access to memory that is out of bounds when creating an error message. Index: pngerror.c --- pngerror.c.orig 2002-10-03 13:32:27.000000000 +0200 +++ pngerror.c 2004-04-28 13:24:22.000000000 +0200 @@@@ -135,10 +135,13 @@@@ buffer[iout] = 0; else { + png_size_t len; + if ((len = png_strlen(error_message)) > 63) + len = 63; buffer[iout++] = ':'; buffer[iout++] = ' '; - png_memcpy(buffer+iout, error_message, 64); - buffer[iout+63] = 0; + png_memcpy(buffer+iout, error_message, len); + buffer[iout+len] = 0; } } --- pngconf.h.orig 2004-05-27 09:42:21.000000000 +0200 +++ pngconf.h 2004-05-27 09:43:22.000000000 +0200 @@@@ -251,10 +251,6 @@@@ # define PNG_SAVE_BSD_SOURCE # undef _BSD_SOURCE a12 4 -# ifdef _SETJMP_H - __png.h__ already includes setjmp.h; - __dont__ include it again.; -# endif a14 376 /* include setjmp.h for error handling */ http://www.graphicsmagick.org/libpng/beta/patches/INFO.txt > [Problems discovered and fixed by] Chris Evans > > 1) Remotely exploitable stack-based buffer overrun in png_handle_tRNS (pngrutil.c) > 2) Dangerous code in png_handle_sBIT (pngrutil.c) CAN-2004-0597 > 3) Possible NULL-pointer crash in png_handle_iCCP (pngrutil.c) > this flaw is duplicated in multiple other locations. CAN-2004-0598 > 4) Theoretical integer overflow in allocation in png_handle_sPLT (pngrutil.c) > 5) Integer overflow in png_read_png (pngread.c) > 6) Integer overflows during progressive reading. > 7) Other flaws. [integer overflows] CAN-2004-0599 http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch03-trns-chunk-overflow.txt Use to patch libpng-1.0.9 through 1.2.5 This fixes the most dangerous of the newly reported vulnerabilities diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch03/pngrutil.c --- pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ pngrutil.c Fri Jul 23 18:54:36 2004 @@@@ -1241,7 +1241,8 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Missing PLTE before tRNS"); } - else if (length > (png_uint_32)png_ptr->num_palette) + if (length > (png_uint_32)png_ptr->num_palette || + length > PNG_MAX_PALETTE_LENGTH) { png_warning(png_ptr, "Incorrect tRNS chunk length"); png_crc_finish(png_ptr, length); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch04-get-uint-31.txt Use to patch libpng-1.0.6 through 1.2.5 This patch defines PNG_UINT_31_MAX, PNG_UINT_32_MAX, PNG_SIZE_MAX, and png_get_uint_31(), which are needed by patches 05-08. diff -r -U 3 libpng-1.2.5/png.h libpng-1.2.5patch04/png.h --- png.h.orig Thu Oct 3 06:32:26 2002 +++ png.h Fri Jul 23 18:56:27 2004 @@@@ -833,7 +833,11 @@@@ typedef png_info FAR * FAR * png_infopp; /* Maximum positive integer used in PNG is (2^31)-1 */ -#define PNG_MAX_UINT ((png_uint_32)0x7fffffffL) +#define PNG_UINT_31_MAX ((png_uint_32)0x7fffffffL) +#define PNG_UINT_32_MAX (~((png_uint_32)0)) +#define PNG_SIZE_MAX (~((png_size_t)0)) +/* PNG_MAX_UINT is deprecated; use PNG_UINT_31_MAX instead. */ +#define PNG_MAX_UINT PNG_UINT_31_MAX /* These describe the color_type field in png_info. */ /* color type masks */ @@@@ -2655,6 +2659,8 @@@@ PNG_EXTERN png_uint_32 png_get_uint_32 PNGARG((png_bytep buf)); PNG_EXTERN png_uint_16 png_get_uint_16 PNGARG((png_bytep buf)); #endif /* !PNG_READ_BIG_ENDIAN_SUPPORTED */ +PNG_EXTERN png_uint_32 png_get_uint_31 PNGARG((png_structp png_ptr, + png_bytep buf)); /* Initialize png_ptr struct for reading, and allocate any other memory. * (old interface - DEPRECATED - use png_create_read_struct instead). diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch04/pngrutil.c --- pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ pngrutil.c Fri Jul 23 18:56:27 2004 @@@@ -38,6 +38,14 @@@@ # endif #endif +png_uint_32 /* PRIVATE */ +png_get_uint_31(png_structp png_ptr, png_bytep buf) +{ + png_uint_32 i = png_get_uint_32(buf); + if (i > PNG_UINT_31_MAX) + png_error(png_ptr, "PNG unsigned integer out of range.\n"); + return (i); +} #ifndef PNG_READ_BIG_ENDIAN_SUPPORTED /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */ png_uint_32 /* PRIVATE */ http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch05-pngpread-chunklength.txt Use to patch libpng-1.0.0 through 1.2.5 Requires one of libpng-patch04* diff -r -U 3 libpng-1.2.5/pngpread.c libpng-1.2.5patch05/pngpread.c --- pngpread.c.orig Thu Oct 3 06:32:28 2002 +++ pngpread.c Fri Jul 23 18:57:39 2004 @@@@ -208,7 +208,7 @@@@ } png_push_fill_buffer(png_ptr, chunk_length, 4); - png_ptr->push_length = png_get_uint_32(chunk_length); + png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; @@@@ -591,6 +591,11 @@@@ png_size_t new_max; png_bytep old_buffer; + if (png_ptr->save_buffer_size > PNG_SIZE_MAX - + (png_ptr->current_buffer_size + 256)) + { + png_error(png_ptr, "Potential overflow of save_buffer"); + } new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256; old_buffer = png_ptr->save_buffer; png_ptr->save_buffer = (png_bytep)png_malloc(png_ptr, @@@@ -637,8 +642,7 @@@@ } png_push_fill_buffer(png_ptr, chunk_length, 4); - png_ptr->push_length = png_get_uint_32(chunk_length); - + png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch06-pngread-chunklength.txt Use to patch libpng-1.0.13 through 1.0.15 and 1.2.2 through 1.2.5. Requires libpng-patch04-* diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5patch06/pngread.c --- pngread.c.orig Thu Oct 3 06:32:29 2002 +++ pngread.c Fri Jul 23 18:59:57 2004 @@@@ -384,7 +384,7 @@@@ png_uint_32 length; png_read_data(png_ptr, chunk_length, 4); - length = png_get_uint_32(chunk_length); + length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); @@@@ -392,9 +392,6 @@@@ png_debug2(0, "Reading %s chunk, length=%lu.\n", png_ptr->chunk_name, length); - if (length > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); - /* This should be a binary subdivision search or a hash for * matching the chunk name rather than a linear search. */ @@@@ -673,10 +670,7 @@@@ png_crc_finish(png_ptr, 0); png_read_data(png_ptr, chunk_length, 4); - png_ptr->idat_size = png_get_uint_32(chunk_length); - - if (png_ptr->idat_size > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); + png_ptr->idat_size = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); @@@@ -946,15 +940,12 @@@@ #endif /* PNG_GLOBAL_ARRAYS */ png_read_data(png_ptr, chunk_length, 4); - length = png_get_uint_32(chunk_length); + length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_debug1(0, "Reading %s chunk.\n", png_ptr->chunk_name); - - if (length > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); if (!png_memcmp(png_ptr->chunk_name, png_IHDR, 4)) png_handle_IHDR(png_ptr, info_ptr, length); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch07-png-read-png-overflow.txt Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't implement png_read_png(). Requires libpng-patch04-* diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5patch07/pngread.c --- pngread.c.orig Thu Oct 3 06:32:29 2002 +++ pngread.c Fri Jul 23 19:01:39 2004 @@@@ -1299,6 +1299,9 @@@@ */ png_read_info(png_ptr, info_ptr); + if (info_ptr->height > PNG_UINT_32_MAX/sizeof(png_bytep)) + png_error(png_ptr,"Image is too high to process with png_read_png()"); + /* -------------- image transformations start here ------------------- */ #if defined(PNG_READ_16_TO_8_SUPPORTED) http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch08-splt-buffer-overflow.txt Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't implement png_read_png(). Requires libpng-patch04-* The "sPLT chunk too long" check from Matthias Clasen (RedHat libpng package maintainer) diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch08/pngrutil.c --- pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ pngrutil.c Fri Jul 23 19:02:48 2004 @@@@ -1154,8 +1154,18 @@@@ } new_palette.nentries = data_length / entry_size; - new_palette.entries = (png_sPLT_entryp)png_malloc( + if (new_palette.nentries > PNG_SIZE_MAX / sizeof(png_sPLT_entry)) + { + png_warning(png_ptr, "sPLT chunk too long"); + return; + } + new_palette.entries = (png_sPLT_entryp)png_malloc_warn( png_ptr, new_palette.nentries * sizeof(png_sPLT_entry)); + if (new_palette.entries == NULL) + { + png_warning(png_ptr, "sPLT chunk requires too much memory"); + return; + } #ifndef PNG_NO_POINTER_INDEXING for (i = 0; i < new_palette.nentries; i++) http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch09-null-iccp-profile.txt Use to patch libpng-1.0.9 through 1.2.5. Does not work with libpng-1.0.6-1.0.8. Libpng-1.0.5 and earlier didn't implement iCCP chunk reading. diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch09/pngrutil.c --- pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ pngrutil.c Fri Jul 23 19:04:28 2004 @@@@ -977,8 +977,7 @@@@ png_bytep pC; png_charp profile; png_uint_32 skip = 0; - png_uint_32 profile_size = 0; - png_uint_32 profile_length = 0; + png_uint_32 profile_size, profile_length; png_size_t slength, prefix_length, data_length; png_debug(1, "in png_handle_iCCP\n"); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch10-find-duplicate-chunk.txt Use to patch libpng-1.0.6 through 1.2.5 Does not work with libpng-1.0.5 and earlier. No security problem. The bugs are similar to the one fixed in patch 03, but the only effect is that libpng will fail to detect misplaced harmless duplicate chunks. diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch10/pngrutil.c --- pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ pngrutil.c Fri Jul 23 19:05:40 2004 @@@@ -579,7 +579,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place gAMA chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) #if defined(PNG_READ_sRGB_SUPPORTED) && !(info_ptr->valid & PNG_INFO_sRGB) #endif @@@@ -660,7 +660,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place sBIT chunk"); } - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) { png_warning(png_ptr, "Duplicate sBIT chunk"); png_crc_finish(png_ptr, length); @@@@ -729,7 +729,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Missing PLTE before cHRM"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) #if defined(PNG_READ_sRGB_SUPPORTED) && !(info_ptr->valid & PNG_INFO_sRGB) #endif @@@@ -891,7 +891,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place sRGB chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) { png_warning(png_ptr, "Duplicate sRGB chunk"); png_crc_finish(png_ptr, length); @@@@ -995,7 +995,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place iCCP chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) { png_warning(png_ptr, "Duplicate iCCP chunk"); png_crc_finish(png_ptr, length); This patch from Chris Evans avoids a host of security problems related to buffer overflows that might occur when processing very large images. It causes the reader to reject any images claiming to have more rows or columns the png format supports. diff -ru libpng-1.2.5/png.h libpng-1.2.5.fix/png.h --- png.h.orig 2002-10-03 12:32:26.000000000 +0100 +++ png.h 2004-07-13 23:18:10.000000000 +0100 @@@@ -835,6 +835,9 @@@@ /* Maximum positive integer used in PNG is (2^31)-1 */ #define PNG_MAX_UINT ((png_uint_32)0x7fffffffL) +/* Constraints on width, height, (2 ^ 24) - 1*/ +#define PNG_MAX_DIMENSION 16777215 + /* These describe the color_type field in png_info. */ /* color type masks */ #define PNG_COLOR_MASK_PALETTE 1 diff -ru libpng-1.2.5/pngrutil.c libpng-1.2.5.fix/pngrutil.c --- pngrutil.c.orig 2004-07-13 13:36:37.000000000 +0100 +++ pngrutil.c 2004-07-13 23:43:02.000000000 +0100 @@@@ -350,7 +350,11 @@@@ png_crc_finish(png_ptr, 0); width = png_get_uint_32(buf); + if (width > PNG_MAX_DIMENSION) + png_error(png_ptr, "Width is too large"); height = png_get_uint_32(buf + 4); + if (height > PNG_MAX_DIMENSION) + png_error(png_ptr, "Height is too large"); bit_depth = buf[8]; color_type = buf[9]; compression_type = buf[10]; @@@@ -675,7 +679,7 @@@@ else truelen = (png_size_t)png_ptr->channels; - if (length != truelen) + if (length != truelen || length > 4) { png_warning(png_ptr, "Incorrect sBIT chunk length"); png_crc_finish(png_ptr, length); @@@@ -1400,7 +1405,7 @@@@ void /* PRIVATE */ png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { - int num, i; + unsigned int num, i; png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH]; png_debug(1, "in png_handle_hIST\n"); @@@@ -1426,8 +1431,8 @@@@ return; } - num = (int)length / 2 ; - if (num != png_ptr->num_palette) + num = length / 2 ; + if (num != png_ptr->num_palette || num > PNG_MAX_PALETTE_LENGTH) { png_warning(png_ptr, "Incorrect hIST chunk length"); png_crc_finish(png_ptr, length); @@@@ -2868,6 +2873,9 @@@@ png_read_data(png_ptr, chunk_length, 4); png_ptr->idat_size = png_get_uint_32(chunk_length); + if (png_ptr->idat_size > PNG_MAX_UINT) + png_error(png_ptr, "Invalid chunk length."); + png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); if (png_memcmp(png_ptr->chunk_name, (png_bytep)png_IDAT, 4)) @ 1.5 log @SA-2004.035-png; CAN-2004-0597, CAN-2004-0598, CAN-2004-0599 @ text @@ 1.4 log @include security fix extension, more details about fixes plus some package cleanups @ text @d89 375 @ 1.4.2.1 log @SA-2004.035-png; CAN-2004-0597, CAN-2004-0598, CAN-2004-0599 @ text @a88 375 http://www.graphicsmagick.org/libpng/beta/patches/INFO.txt > [Problems discovered and fixed by] Chris Evans > > 1) Remotely exploitable stack-based buffer overrun in png_handle_tRNS (pngrutil.c) > 2) Dangerous code in png_handle_sBIT (pngrutil.c) CAN-2004-0597 > 3) Possible NULL-pointer crash in png_handle_iCCP (pngrutil.c) > this flaw is duplicated in multiple other locations. CAN-2004-0598 > 4) Theoretical integer overflow in allocation in png_handle_sPLT (pngrutil.c) > 5) Integer overflow in png_read_png (pngread.c) > 6) Integer overflows during progressive reading. > 7) Other flaws. [integer overflows] CAN-2004-0599 http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch03-trns-chunk-overflow.txt Use to patch libpng-1.0.9 through 1.2.5 This fixes the most dangerous of the newly reported vulnerabilities diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch03/pngrutil.c --- pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ pngrutil.c Fri Jul 23 18:54:36 2004 @@@@ -1241,7 +1241,8 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Missing PLTE before tRNS"); } - else if (length > (png_uint_32)png_ptr->num_palette) + if (length > (png_uint_32)png_ptr->num_palette || + length > PNG_MAX_PALETTE_LENGTH) { png_warning(png_ptr, "Incorrect tRNS chunk length"); png_crc_finish(png_ptr, length); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch04-get-uint-31.txt Use to patch libpng-1.0.6 through 1.2.5 This patch defines PNG_UINT_31_MAX, PNG_UINT_32_MAX, PNG_SIZE_MAX, and png_get_uint_31(), which are needed by patches 05-08. diff -r -U 3 libpng-1.2.5/png.h libpng-1.2.5patch04/png.h --- png.h.orig Thu Oct 3 06:32:26 2002 +++ png.h Fri Jul 23 18:56:27 2004 @@@@ -833,7 +833,11 @@@@ typedef png_info FAR * FAR * png_infopp; /* Maximum positive integer used in PNG is (2^31)-1 */ -#define PNG_MAX_UINT ((png_uint_32)0x7fffffffL) +#define PNG_UINT_31_MAX ((png_uint_32)0x7fffffffL) +#define PNG_UINT_32_MAX (~((png_uint_32)0)) +#define PNG_SIZE_MAX (~((png_size_t)0)) +/* PNG_MAX_UINT is deprecated; use PNG_UINT_31_MAX instead. */ +#define PNG_MAX_UINT PNG_UINT_31_MAX /* These describe the color_type field in png_info. */ /* color type masks */ @@@@ -2655,6 +2659,8 @@@@ PNG_EXTERN png_uint_32 png_get_uint_32 PNGARG((png_bytep buf)); PNG_EXTERN png_uint_16 png_get_uint_16 PNGARG((png_bytep buf)); #endif /* !PNG_READ_BIG_ENDIAN_SUPPORTED */ +PNG_EXTERN png_uint_32 png_get_uint_31 PNGARG((png_structp png_ptr, + png_bytep buf)); /* Initialize png_ptr struct for reading, and allocate any other memory. * (old interface - DEPRECATED - use png_create_read_struct instead). diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch04/pngrutil.c --- pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ pngrutil.c Fri Jul 23 18:56:27 2004 @@@@ -38,6 +38,14 @@@@ # endif #endif +png_uint_32 /* PRIVATE */ +png_get_uint_31(png_structp png_ptr, png_bytep buf) +{ + png_uint_32 i = png_get_uint_32(buf); + if (i > PNG_UINT_31_MAX) + png_error(png_ptr, "PNG unsigned integer out of range.\n"); + return (i); +} #ifndef PNG_READ_BIG_ENDIAN_SUPPORTED /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */ png_uint_32 /* PRIVATE */ http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch05-pngpread-chunklength.txt Use to patch libpng-1.0.0 through 1.2.5 Requires one of libpng-patch04* diff -r -U 3 libpng-1.2.5/pngpread.c libpng-1.2.5patch05/pngpread.c --- pngpread.c.orig Thu Oct 3 06:32:28 2002 +++ pngpread.c Fri Jul 23 18:57:39 2004 @@@@ -208,7 +208,7 @@@@ } png_push_fill_buffer(png_ptr, chunk_length, 4); - png_ptr->push_length = png_get_uint_32(chunk_length); + png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; @@@@ -591,6 +591,11 @@@@ png_size_t new_max; png_bytep old_buffer; + if (png_ptr->save_buffer_size > PNG_SIZE_MAX - + (png_ptr->current_buffer_size + 256)) + { + png_error(png_ptr, "Potential overflow of save_buffer"); + } new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256; old_buffer = png_ptr->save_buffer; png_ptr->save_buffer = (png_bytep)png_malloc(png_ptr, @@@@ -637,8 +642,7 @@@@ } png_push_fill_buffer(png_ptr, chunk_length, 4); - png_ptr->push_length = png_get_uint_32(chunk_length); - + png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch06-pngread-chunklength.txt Use to patch libpng-1.0.13 through 1.0.15 and 1.2.2 through 1.2.5. Requires libpng-patch04-* diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5patch06/pngread.c --- pngread.c.orig Thu Oct 3 06:32:29 2002 +++ pngread.c Fri Jul 23 18:59:57 2004 @@@@ -384,7 +384,7 @@@@ png_uint_32 length; png_read_data(png_ptr, chunk_length, 4); - length = png_get_uint_32(chunk_length); + length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); @@@@ -392,9 +392,6 @@@@ png_debug2(0, "Reading %s chunk, length=%lu.\n", png_ptr->chunk_name, length); - if (length > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); - /* This should be a binary subdivision search or a hash for * matching the chunk name rather than a linear search. */ @@@@ -673,10 +670,7 @@@@ png_crc_finish(png_ptr, 0); png_read_data(png_ptr, chunk_length, 4); - png_ptr->idat_size = png_get_uint_32(chunk_length); - - if (png_ptr->idat_size > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); + png_ptr->idat_size = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); @@@@ -946,15 +940,12 @@@@ #endif /* PNG_GLOBAL_ARRAYS */ png_read_data(png_ptr, chunk_length, 4); - length = png_get_uint_32(chunk_length); + length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_debug1(0, "Reading %s chunk.\n", png_ptr->chunk_name); - - if (length > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); if (!png_memcmp(png_ptr->chunk_name, png_IHDR, 4)) png_handle_IHDR(png_ptr, info_ptr, length); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch07-png-read-png-overflow.txt Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't implement png_read_png(). Requires libpng-patch04-* diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5patch07/pngread.c --- pngread.c.orig Thu Oct 3 06:32:29 2002 +++ pngread.c Fri Jul 23 19:01:39 2004 @@@@ -1299,6 +1299,9 @@@@ */ png_read_info(png_ptr, info_ptr); + if (info_ptr->height > PNG_UINT_32_MAX/sizeof(png_bytep)) + png_error(png_ptr,"Image is too high to process with png_read_png()"); + /* -------------- image transformations start here ------------------- */ #if defined(PNG_READ_16_TO_8_SUPPORTED) http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch08-splt-buffer-overflow.txt Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't implement png_read_png(). Requires libpng-patch04-* The "sPLT chunk too long" check from Matthias Clasen (RedHat libpng package maintainer) diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch08/pngrutil.c --- pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ pngrutil.c Fri Jul 23 19:02:48 2004 @@@@ -1154,8 +1154,18 @@@@ } new_palette.nentries = data_length / entry_size; - new_palette.entries = (png_sPLT_entryp)png_malloc( + if (new_palette.nentries > PNG_SIZE_MAX / sizeof(png_sPLT_entry)) + { + png_warning(png_ptr, "sPLT chunk too long"); + return; + } + new_palette.entries = (png_sPLT_entryp)png_malloc_warn( png_ptr, new_palette.nentries * sizeof(png_sPLT_entry)); + if (new_palette.entries == NULL) + { + png_warning(png_ptr, "sPLT chunk requires too much memory"); + return; + } #ifndef PNG_NO_POINTER_INDEXING for (i = 0; i < new_palette.nentries; i++) http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch09-null-iccp-profile.txt Use to patch libpng-1.0.9 through 1.2.5. Does not work with libpng-1.0.6-1.0.8. Libpng-1.0.5 and earlier didn't implement iCCP chunk reading. diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch09/pngrutil.c --- pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ pngrutil.c Fri Jul 23 19:04:28 2004 @@@@ -977,8 +977,7 @@@@ png_bytep pC; png_charp profile; png_uint_32 skip = 0; - png_uint_32 profile_size = 0; - png_uint_32 profile_length = 0; + png_uint_32 profile_size, profile_length; png_size_t slength, prefix_length, data_length; png_debug(1, "in png_handle_iCCP\n"); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch10-find-duplicate-chunk.txt Use to patch libpng-1.0.6 through 1.2.5 Does not work with libpng-1.0.5 and earlier. No security problem. The bugs are similar to the one fixed in patch 03, but the only effect is that libpng will fail to detect misplaced harmless duplicate chunks. diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch10/pngrutil.c --- pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ pngrutil.c Fri Jul 23 19:05:40 2004 @@@@ -579,7 +579,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place gAMA chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) #if defined(PNG_READ_sRGB_SUPPORTED) && !(info_ptr->valid & PNG_INFO_sRGB) #endif @@@@ -660,7 +660,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place sBIT chunk"); } - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) { png_warning(png_ptr, "Duplicate sBIT chunk"); png_crc_finish(png_ptr, length); @@@@ -729,7 +729,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Missing PLTE before cHRM"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) #if defined(PNG_READ_sRGB_SUPPORTED) && !(info_ptr->valid & PNG_INFO_sRGB) #endif @@@@ -891,7 +891,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place sRGB chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) { png_warning(png_ptr, "Duplicate sRGB chunk"); png_crc_finish(png_ptr, length); @@@@ -995,7 +995,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place iCCP chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) { png_warning(png_ptr, "Duplicate iCCP chunk"); png_crc_finish(png_ptr, length); This patch from Chris Evans avoids a host of security problems related to buffer overflows that might occur when processing very large images. It causes the reader to reject any images claiming to have more rows or columns the png format supports. diff -ru libpng-1.2.5/png.h libpng-1.2.5.fix/png.h --- png.h.orig 2002-10-03 12:32:26.000000000 +0100 +++ png.h 2004-07-13 23:18:10.000000000 +0100 @@@@ -835,6 +835,9 @@@@ /* Maximum positive integer used in PNG is (2^31)-1 */ #define PNG_MAX_UINT ((png_uint_32)0x7fffffffL) +/* Constraints on width, height, (2 ^ 24) - 1*/ +#define PNG_MAX_DIMENSION 16777215 + /* These describe the color_type field in png_info. */ /* color type masks */ #define PNG_COLOR_MASK_PALETTE 1 diff -ru libpng-1.2.5/pngrutil.c libpng-1.2.5.fix/pngrutil.c --- pngrutil.c.orig 2004-07-13 13:36:37.000000000 +0100 +++ pngrutil.c 2004-07-13 23:43:02.000000000 +0100 @@@@ -350,7 +350,11 @@@@ png_crc_finish(png_ptr, 0); width = png_get_uint_32(buf); + if (width > PNG_MAX_DIMENSION) + png_error(png_ptr, "Width is too large"); height = png_get_uint_32(buf + 4); + if (height > PNG_MAX_DIMENSION) + png_error(png_ptr, "Height is too large"); bit_depth = buf[8]; color_type = buf[9]; compression_type = buf[10]; @@@@ -675,7 +679,7 @@@@ else truelen = (png_size_t)png_ptr->channels; - if (length != truelen) + if (length != truelen || length > 4) { png_warning(png_ptr, "Incorrect sBIT chunk length"); png_crc_finish(png_ptr, length); @@@@ -1400,7 +1405,7 @@@@ void /* PRIVATE */ png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { - int num, i; + unsigned int num, i; png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH]; png_debug(1, "in png_handle_hIST\n"); @@@@ -1426,8 +1431,8 @@@@ return; } - num = (int)length / 2 ; - if (num != png_ptr->num_palette) + num = length / 2 ; + if (num != png_ptr->num_palette || num > PNG_MAX_PALETTE_LENGTH) { png_warning(png_ptr, "Incorrect hIST chunk length"); png_crc_finish(png_ptr, length); @@@@ -2868,6 +2873,9 @@@@ png_read_data(png_ptr, chunk_length, 4); png_ptr->idat_size = png_get_uint_32(chunk_length); + if (png_ptr->idat_size > PNG_MAX_UINT) + png_error(png_ptr, "Invalid chunk length."); + png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); if (png_memcmp(png_ptr->chunk_name, (png_bytep)png_IDAT, 4)) @ 1.3 log @fixed an ancient leftover in pngconf.h that preventet gnuplot to build with PNG support on linux systems @ text @d1 28 a28 2 --- pngrtran.c.orig Wed Oct 2 20:20:24 2002 +++ pngrtran.c Wed Jan 15 11:30:23 2003 d52 4 a55 2 Steve G Libpng accesses memory that is out of bounds when creating an error message @ 1.2 log @SA-2004.017-png @ text @d48 13 @ 1.1 log @fix security bug @ text @d25 23 @ 1.1.10.1 log @SA-2004.017-png @ text @a24 23 Steve G Libpng accesses memory that is out of bounds when creating an error message Index: pngerror.c --- pngerror.c.orig 2002-10-03 13:32:27.000000000 +0200 +++ pngerror.c 2004-04-28 13:24:22.000000000 +0200 @@@@ -135,10 +135,13 @@@@ buffer[iout] = 0; else { + png_size_t len; + if ((len = png_strlen(error_message)) > 63) + len = 63; buffer[iout++] = ':'; buffer[iout++] = ' '; - png_memcpy(buffer+iout, error_message, 64); - buffer[iout+63] = 0; + png_memcpy(buffer+iout, error_message, len); + buffer[iout+len] = 0; } } @ 1.1.10.2 log @apply extended security fix and a cleanup patch from CURRENT @ text @d1 2 a2 28 Security Fix (CAN-2002-1363): Possible buffer overflows. Index: pngrtran.c --- pngrtran.c.orig 2002-10-03 13:32:29 +0200 +++ pngrtran.c 2004-06-29 10:06:10 +0200 @@@@ -1889,8 +1889,8 @@@@ /* This changes the data from GG to GGXX */ if (flags & PNG_FLAG_FILLER_AFTER) { - png_bytep sp = row + (png_size_t)row_width; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 2; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 1; i < row_width; i++) { *(--dp) = hi_filler; @@@@ -1907,8 +1907,8 @@@@ /* This changes the data from GG to XXGG */ else { - png_bytep sp = row + (png_size_t)row_width; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 2; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 0; i < row_width; i++) { *(--dp) = *(--sp); d26 2 a27 4 ----------------------------------------------------------------------------- Security Fix (Steve G ): Access to memory that is out of bounds when creating an error message. a47 13 --- pngconf.h.orig 2004-05-27 09:42:21.000000000 +0200 +++ pngconf.h 2004-05-27 09:43:22.000000000 +0200 @@@@ -251,10 +251,6 @@@@ # define PNG_SAVE_BSD_SOURCE # undef _BSD_SOURCE # endif -# ifdef _SETJMP_H - __png.h__ already includes setjmp.h; - __dont__ include it again.; -# endif # endif /* __linux__ */ /* include setjmp.h for error handling */ @ 1.1.12.1 log @SA-2004.017-png @ text @a24 23 Steve G Libpng accesses memory that is out of bounds when creating an error message Index: pngerror.c --- pngerror.c.orig 2002-10-03 13:32:27.000000000 +0200 +++ pngerror.c 2004-04-28 13:24:22.000000000 +0200 @@@@ -135,10 +135,13 @@@@ buffer[iout] = 0; else { + png_size_t len; + if ((len = png_strlen(error_message)) > 63) + len = 63; buffer[iout++] = ':'; buffer[iout++] = ' '; - png_memcpy(buffer+iout, error_message, 64); - buffer[iout+63] = 0; + png_memcpy(buffer+iout, error_message, len); + buffer[iout+len] = 0; } } @ 1.1.12.2 log @apply extended security fix and a cleanup patch from CURRENT @ text @d1 2 a2 28 Security Fix (CAN-2002-1363): Possible buffer overflows. Index: pngrtran.c --- pngrtran.c.orig 2002-10-03 13:32:29 +0200 +++ pngrtran.c 2004-06-29 10:06:10 +0200 @@@@ -1889,8 +1889,8 @@@@ /* This changes the data from GG to GGXX */ if (flags & PNG_FLAG_FILLER_AFTER) { - png_bytep sp = row + (png_size_t)row_width; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 2; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 1; i < row_width; i++) { *(--dp) = hi_filler; @@@@ -1907,8 +1907,8 @@@@ /* This changes the data from GG to XXGG */ else { - png_bytep sp = row + (png_size_t)row_width; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 2; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 0; i < row_width; i++) { *(--dp) = *(--sp); d26 2 a27 4 ----------------------------------------------------------------------------- Security Fix (Steve G ): Access to memory that is out of bounds when creating an error message. a47 13 --- pngconf.h.orig 2004-05-27 09:42:21.000000000 +0200 +++ pngconf.h 2004-05-27 09:43:22.000000000 +0200 @@@@ -251,10 +251,6 @@@@ # define PNG_SAVE_BSD_SOURCE # undef _BSD_SOURCE # endif -# ifdef _SETJMP_H - __png.h__ already includes setjmp.h; - __dont__ include it again.; -# endif # endif /* __linux__ */ /* include setjmp.h for error handling */ @ 1.1.12.3 log @SA-2004.035-png; CAN-2004-0597, CAN-2004-0598, CAN-2004-0599 @ text @a88 375 http://www.graphicsmagick.org/libpng/beta/patches/INFO.txt > [Problems discovered and fixed by] Chris Evans > > 1) Remotely exploitable stack-based buffer overrun in png_handle_tRNS (pngrutil.c) > 2) Dangerous code in png_handle_sBIT (pngrutil.c) CAN-2004-0597 > 3) Possible NULL-pointer crash in png_handle_iCCP (pngrutil.c) > this flaw is duplicated in multiple other locations. CAN-2004-0598 > 4) Theoretical integer overflow in allocation in png_handle_sPLT (pngrutil.c) > 5) Integer overflow in png_read_png (pngread.c) > 6) Integer overflows during progressive reading. > 7) Other flaws. [integer overflows] CAN-2004-0599 http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch03-trns-chunk-overflow.txt Use to patch libpng-1.0.9 through 1.2.5 This fixes the most dangerous of the newly reported vulnerabilities diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch03/pngrutil.c --- pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ pngrutil.c Fri Jul 23 18:54:36 2004 @@@@ -1241,7 +1241,8 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Missing PLTE before tRNS"); } - else if (length > (png_uint_32)png_ptr->num_palette) + if (length > (png_uint_32)png_ptr->num_palette || + length > PNG_MAX_PALETTE_LENGTH) { png_warning(png_ptr, "Incorrect tRNS chunk length"); png_crc_finish(png_ptr, length); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch04-get-uint-31.txt Use to patch libpng-1.0.6 through 1.2.5 This patch defines PNG_UINT_31_MAX, PNG_UINT_32_MAX, PNG_SIZE_MAX, and png_get_uint_31(), which are needed by patches 05-08. diff -r -U 3 libpng-1.2.5/png.h libpng-1.2.5patch04/png.h --- png.h.orig Thu Oct 3 06:32:26 2002 +++ png.h Fri Jul 23 18:56:27 2004 @@@@ -833,7 +833,11 @@@@ typedef png_info FAR * FAR * png_infopp; /* Maximum positive integer used in PNG is (2^31)-1 */ -#define PNG_MAX_UINT ((png_uint_32)0x7fffffffL) +#define PNG_UINT_31_MAX ((png_uint_32)0x7fffffffL) +#define PNG_UINT_32_MAX (~((png_uint_32)0)) +#define PNG_SIZE_MAX (~((png_size_t)0)) +/* PNG_MAX_UINT is deprecated; use PNG_UINT_31_MAX instead. */ +#define PNG_MAX_UINT PNG_UINT_31_MAX /* These describe the color_type field in png_info. */ /* color type masks */ @@@@ -2655,6 +2659,8 @@@@ PNG_EXTERN png_uint_32 png_get_uint_32 PNGARG((png_bytep buf)); PNG_EXTERN png_uint_16 png_get_uint_16 PNGARG((png_bytep buf)); #endif /* !PNG_READ_BIG_ENDIAN_SUPPORTED */ +PNG_EXTERN png_uint_32 png_get_uint_31 PNGARG((png_structp png_ptr, + png_bytep buf)); /* Initialize png_ptr struct for reading, and allocate any other memory. * (old interface - DEPRECATED - use png_create_read_struct instead). diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch04/pngrutil.c --- pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ pngrutil.c Fri Jul 23 18:56:27 2004 @@@@ -38,6 +38,14 @@@@ # endif #endif +png_uint_32 /* PRIVATE */ +png_get_uint_31(png_structp png_ptr, png_bytep buf) +{ + png_uint_32 i = png_get_uint_32(buf); + if (i > PNG_UINT_31_MAX) + png_error(png_ptr, "PNG unsigned integer out of range.\n"); + return (i); +} #ifndef PNG_READ_BIG_ENDIAN_SUPPORTED /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */ png_uint_32 /* PRIVATE */ http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch05-pngpread-chunklength.txt Use to patch libpng-1.0.0 through 1.2.5 Requires one of libpng-patch04* diff -r -U 3 libpng-1.2.5/pngpread.c libpng-1.2.5patch05/pngpread.c --- pngpread.c.orig Thu Oct 3 06:32:28 2002 +++ pngpread.c Fri Jul 23 18:57:39 2004 @@@@ -208,7 +208,7 @@@@ } png_push_fill_buffer(png_ptr, chunk_length, 4); - png_ptr->push_length = png_get_uint_32(chunk_length); + png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; @@@@ -591,6 +591,11 @@@@ png_size_t new_max; png_bytep old_buffer; + if (png_ptr->save_buffer_size > PNG_SIZE_MAX - + (png_ptr->current_buffer_size + 256)) + { + png_error(png_ptr, "Potential overflow of save_buffer"); + } new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256; old_buffer = png_ptr->save_buffer; png_ptr->save_buffer = (png_bytep)png_malloc(png_ptr, @@@@ -637,8 +642,7 @@@@ } png_push_fill_buffer(png_ptr, chunk_length, 4); - png_ptr->push_length = png_get_uint_32(chunk_length); - + png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch06-pngread-chunklength.txt Use to patch libpng-1.0.13 through 1.0.15 and 1.2.2 through 1.2.5. Requires libpng-patch04-* diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5patch06/pngread.c --- pngread.c.orig Thu Oct 3 06:32:29 2002 +++ pngread.c Fri Jul 23 18:59:57 2004 @@@@ -384,7 +384,7 @@@@ png_uint_32 length; png_read_data(png_ptr, chunk_length, 4); - length = png_get_uint_32(chunk_length); + length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); @@@@ -392,9 +392,6 @@@@ png_debug2(0, "Reading %s chunk, length=%lu.\n", png_ptr->chunk_name, length); - if (length > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); - /* This should be a binary subdivision search or a hash for * matching the chunk name rather than a linear search. */ @@@@ -673,10 +670,7 @@@@ png_crc_finish(png_ptr, 0); png_read_data(png_ptr, chunk_length, 4); - png_ptr->idat_size = png_get_uint_32(chunk_length); - - if (png_ptr->idat_size > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); + png_ptr->idat_size = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); @@@@ -946,15 +940,12 @@@@ #endif /* PNG_GLOBAL_ARRAYS */ png_read_data(png_ptr, chunk_length, 4); - length = png_get_uint_32(chunk_length); + length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_debug1(0, "Reading %s chunk.\n", png_ptr->chunk_name); - - if (length > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); if (!png_memcmp(png_ptr->chunk_name, png_IHDR, 4)) png_handle_IHDR(png_ptr, info_ptr, length); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch07-png-read-png-overflow.txt Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't implement png_read_png(). Requires libpng-patch04-* diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5patch07/pngread.c --- pngread.c.orig Thu Oct 3 06:32:29 2002 +++ pngread.c Fri Jul 23 19:01:39 2004 @@@@ -1299,6 +1299,9 @@@@ */ png_read_info(png_ptr, info_ptr); + if (info_ptr->height > PNG_UINT_32_MAX/sizeof(png_bytep)) + png_error(png_ptr,"Image is too high to process with png_read_png()"); + /* -------------- image transformations start here ------------------- */ #if defined(PNG_READ_16_TO_8_SUPPORTED) http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch08-splt-buffer-overflow.txt Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't implement png_read_png(). Requires libpng-patch04-* The "sPLT chunk too long" check from Matthias Clasen (RedHat libpng package maintainer) diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch08/pngrutil.c --- pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ pngrutil.c Fri Jul 23 19:02:48 2004 @@@@ -1154,8 +1154,18 @@@@ } new_palette.nentries = data_length / entry_size; - new_palette.entries = (png_sPLT_entryp)png_malloc( + if (new_palette.nentries > PNG_SIZE_MAX / sizeof(png_sPLT_entry)) + { + png_warning(png_ptr, "sPLT chunk too long"); + return; + } + new_palette.entries = (png_sPLT_entryp)png_malloc_warn( png_ptr, new_palette.nentries * sizeof(png_sPLT_entry)); + if (new_palette.entries == NULL) + { + png_warning(png_ptr, "sPLT chunk requires too much memory"); + return; + } #ifndef PNG_NO_POINTER_INDEXING for (i = 0; i < new_palette.nentries; i++) http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch09-null-iccp-profile.txt Use to patch libpng-1.0.9 through 1.2.5. Does not work with libpng-1.0.6-1.0.8. Libpng-1.0.5 and earlier didn't implement iCCP chunk reading. diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch09/pngrutil.c --- pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ pngrutil.c Fri Jul 23 19:04:28 2004 @@@@ -977,8 +977,7 @@@@ png_bytep pC; png_charp profile; png_uint_32 skip = 0; - png_uint_32 profile_size = 0; - png_uint_32 profile_length = 0; + png_uint_32 profile_size, profile_length; png_size_t slength, prefix_length, data_length; png_debug(1, "in png_handle_iCCP\n"); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch10-find-duplicate-chunk.txt Use to patch libpng-1.0.6 through 1.2.5 Does not work with libpng-1.0.5 and earlier. No security problem. The bugs are similar to the one fixed in patch 03, but the only effect is that libpng will fail to detect misplaced harmless duplicate chunks. diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch10/pngrutil.c --- pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ pngrutil.c Fri Jul 23 19:05:40 2004 @@@@ -579,7 +579,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place gAMA chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) #if defined(PNG_READ_sRGB_SUPPORTED) && !(info_ptr->valid & PNG_INFO_sRGB) #endif @@@@ -660,7 +660,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place sBIT chunk"); } - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) { png_warning(png_ptr, "Duplicate sBIT chunk"); png_crc_finish(png_ptr, length); @@@@ -729,7 +729,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Missing PLTE before cHRM"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) #if defined(PNG_READ_sRGB_SUPPORTED) && !(info_ptr->valid & PNG_INFO_sRGB) #endif @@@@ -891,7 +891,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place sRGB chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) { png_warning(png_ptr, "Duplicate sRGB chunk"); png_crc_finish(png_ptr, length); @@@@ -995,7 +995,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place iCCP chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) { png_warning(png_ptr, "Duplicate iCCP chunk"); png_crc_finish(png_ptr, length); This patch from Chris Evans avoids a host of security problems related to buffer overflows that might occur when processing very large images. It causes the reader to reject any images claiming to have more rows or columns the png format supports. diff -ru libpng-1.2.5/png.h libpng-1.2.5.fix/png.h --- png.h.orig 2002-10-03 12:32:26.000000000 +0100 +++ png.h 2004-07-13 23:18:10.000000000 +0100 @@@@ -835,6 +835,9 @@@@ /* Maximum positive integer used in PNG is (2^31)-1 */ #define PNG_MAX_UINT ((png_uint_32)0x7fffffffL) +/* Constraints on width, height, (2 ^ 24) - 1*/ +#define PNG_MAX_DIMENSION 16777215 + /* These describe the color_type field in png_info. */ /* color type masks */ #define PNG_COLOR_MASK_PALETTE 1 diff -ru libpng-1.2.5/pngrutil.c libpng-1.2.5.fix/pngrutil.c --- pngrutil.c.orig 2004-07-13 13:36:37.000000000 +0100 +++ pngrutil.c 2004-07-13 23:43:02.000000000 +0100 @@@@ -350,7 +350,11 @@@@ png_crc_finish(png_ptr, 0); width = png_get_uint_32(buf); + if (width > PNG_MAX_DIMENSION) + png_error(png_ptr, "Width is too large"); height = png_get_uint_32(buf + 4); + if (height > PNG_MAX_DIMENSION) + png_error(png_ptr, "Height is too large"); bit_depth = buf[8]; color_type = buf[9]; compression_type = buf[10]; @@@@ -675,7 +679,7 @@@@ else truelen = (png_size_t)png_ptr->channels; - if (length != truelen) + if (length != truelen || length > 4) { png_warning(png_ptr, "Incorrect sBIT chunk length"); png_crc_finish(png_ptr, length); @@@@ -1400,7 +1405,7 @@@@ void /* PRIVATE */ png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { - int num, i; + unsigned int num, i; png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH]; png_debug(1, "in png_handle_hIST\n"); @@@@ -1426,8 +1431,8 @@@@ return; } - num = (int)length / 2 ; - if (num != png_ptr->num_palette) + num = length / 2 ; + if (num != png_ptr->num_palette || num > PNG_MAX_PALETTE_LENGTH) { png_warning(png_ptr, "Incorrect hIST chunk length"); png_crc_finish(png_ptr, length); @@@@ -2868,6 +2873,9 @@@@ png_read_data(png_ptr, chunk_length, 4); png_ptr->idat_size = png_get_uint_32(chunk_length); + if (png_ptr->idat_size > PNG_MAX_UINT) + png_error(png_ptr, "Invalid chunk length."); + png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); if (png_memcmp(png_ptr->chunk_name, (png_bytep)png_IDAT, 4)) @ 1.1.4.1 log @fix security bug @ text @d1 2 a2 2 --- pngrtran.c.orig Mon Jul 8 02:15:09 2002 +++ pngrtran.c Wed Jan 15 11:22:32 2003 @ 1.1.2.1 log @fix security bug @ text @d1 3 a3 3 --- pngrtran.c.orig Sat Sep 1 14:53:52 2001 +++ pngrtran.c Wed Jan 15 11:26:36 2003 @@@@ -1924,8 +1924,8 @@@@ d14 1 a14 1 @@@@ -1946,8 +1946,8 @@@@ @