diff -r -U 3 libpng-1.2.1/png.h libpng-1.2.1p/png.h --- libpng-1.2.1/png.h Wed Dec 12 17:37:19 2001 +++ libpng-1.2.1p/png.h Tue Aug 3 21:32:09 2004 @@ -816,7 +816,11 @@ typedef png_info FAR * FAR * png_infopp; /* Maximum positive integer used in PNG is (2^31)-1 */ -#define PNG_MAX_UINT ((png_uint_32)0x7fffffffL) +#define PNG_UINT_31_MAX ((png_uint_32)0x7fffffffL) +#define PNG_UINT_32_MAX (~((png_uint_32)0)) +#define PNG_SIZE_MAX (~((png_size_t)0)) +/* PNG_MAX_UINT is deprecated; use PNG_UINT_31_MAX instead. */ +#define PNG_MAX_UINT PNG_UINT_31_MAX /* These describe the color_type field in png_info. */ /* color type masks */ @@ -2600,6 +2604,8 @@ PNG_EXTERN png_uint_32 png_get_uint_32 PNGARG((png_bytep buf)); PNG_EXTERN png_uint_16 png_get_uint_16 PNGARG((png_bytep buf)); #endif /* !PNG_READ_BIG_ENDIAN_SUPPORTED */ +PNG_EXTERN png_uint_32 png_get_uint_31 PNGARG((png_structp png_ptr, + png_bytep buf)); /* Initialize png_ptr struct for reading, and allocate any other memory. * (old interface - DEPRECATED - use png_create_read_struct instead). diff -r -U 3 libpng-1.2.1/pngconf.h libpng-1.2.1p/pngconf.h --- libpng-1.2.1/pngconf.h Wed Dec 12 17:37:19 2001 +++ libpng-1.2.1p/pngconf.h Tue Aug 3 21:33:13 2004 @@ -651,6 +651,13 @@ # define PNG_USER_MEM_SUPPORTED #endif +#ifndef PNG_USER_WIDTH_MAX +# define PNG_USER_WIDTH_MAX 1000000L +#endif +#ifndef PNG_USER_HEIGHT_MAX +# define PNG_USER_HEIGHT_MAX 1000000L +#endif + /* These are currently experimental features, define them if you want */ /* very little testing */ @@ -1263,6 +1270,7 @@ # define CVT_PTR(ptr) (png_far_to_near(png_ptr,ptr,CHECK)) # define CVT_PTR_NOCHECK(ptr) (png_far_to_near(png_ptr,ptr,NOCHECK)) # define png_strcpy _fstrcpy +# define png_strncpy _fstrncpy /* Added to v 1.2.6 */ # define png_strlen _fstrlen # define png_memcmp _fmemcmp /* SJT: added */ # define png_memcpy _fmemcpy @@ -1271,6 +1279,7 @@ # define CVT_PTR(ptr) (ptr) # define CVT_PTR_NOCHECK(ptr) (ptr) # define png_strcpy strcpy +# define png_strncpy strncpy /* Added to v 1.2.6 */ # define png_strlen strlen # define png_memcmp memcmp /* SJT: added */ # define png_memcpy memcpy diff -r -U 3 libpng-1.2.1/pngerror.c libpng-1.2.1p/pngerror.c --- libpng-1.2.1/pngerror.c Wed Dec 12 17:37:19 2001 +++ libpng-1.2.1p/pngerror.c Tue Aug 3 21:32:09 2004 @@ -136,7 +136,7 @@ { buffer[iout++] = ':'; buffer[iout++] = ' '; - png_memcpy(buffer+iout, message, 64); + png_strncpy(buffer+iout, message, 63); buffer[iout+63] = 0; } } diff -r -U 3 libpng-1.2.1/pngpread.c libpng-1.2.1p/pngpread.c --- libpng-1.2.1/pngpread.c Wed Dec 12 17:37:21 2001 +++ libpng-1.2.1p/pngpread.c Tue Aug 3 21:32:09 2004 @@ -208,7 +208,7 @@ } png_push_fill_buffer(png_ptr, chunk_length, 4); - png_ptr->push_length = png_get_uint_32(chunk_length); + png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; @@ -581,6 +581,11 @@ png_size_t new_max; png_bytep old_buffer; + if (png_ptr->save_buffer_size > PNG_SIZE_MAX - + (png_ptr->current_buffer_size + 256)) + { + png_error(png_ptr, "Potential overflow of save_buffer"); + } new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256; old_buffer = png_ptr->save_buffer; png_ptr->save_buffer = (png_bytep)png_malloc(png_ptr, @@ -627,8 +632,7 @@ } png_push_fill_buffer(png_ptr, chunk_length, 4); - png_ptr->push_length = png_get_uint_32(chunk_length); - + png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; diff -r -U 3 libpng-1.2.1/pngread.c libpng-1.2.1p/pngread.c --- libpng-1.2.1/pngread.c Wed Dec 12 17:37:21 2001 +++ libpng-1.2.1p/pngread.c Tue Aug 3 21:32:09 2004 @@ -365,7 +365,7 @@ png_uint_32 length; png_read_data(png_ptr, chunk_length, 4); - length = png_get_uint_32(chunk_length); + length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); @@ -654,7 +654,7 @@ png_crc_finish(png_ptr, 0); png_read_data(png_ptr, chunk_length, 4); - png_ptr->idat_size = png_get_uint_32(chunk_length); + png_ptr->idat_size = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); @@ -927,7 +927,7 @@ #endif /* PNG_GLOBAL_ARRAYS */ png_read_data(png_ptr, chunk_length, 4); - length = png_get_uint_32(chunk_length); + length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); @@ -1272,6 +1272,9 @@ * PNG file before the first IDAT (image data chunk). */ png_read_info(png_ptr, info_ptr); + + if (info_ptr->height > PNG_UINT_32_MAX/sizeof(png_bytep)) + png_error(png_ptr,"Image is too high to process with png_read_png()"); /* -------------- image transformations start here ------------------- */ diff -r -U 3 libpng-1.2.1/pngrtran.c libpng-1.2.1p/pngrtran.c --- libpng-1.2.1/pngrtran.c Wed Dec 12 17:37:22 2001 +++ libpng-1.2.1p/pngrtran.c Tue Aug 3 21:32:09 2004 @@ -1851,8 +1851,8 @@ /* This changes the data from GG to GGXX */ if (flags & PNG_FLAG_FILLER_AFTER) { - png_bytep sp = row + (png_size_t)row_width; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 2; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 1; i < row_width; i++) { *(--dp) = hi_filler; @@ -1869,8 +1869,8 @@ /* This changes the data from GG to XXGG */ else { - png_bytep sp = row + (png_size_t)row_width; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 2; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 0; i < row_width; i++) { *(--dp) = *(--sp); @@ -1927,8 +1927,8 @@ /* This changes the data from RRGGBB to RRGGBBXX */ if (flags & PNG_FLAG_FILLER_AFTER) { - png_bytep sp = row + (png_size_t)row_width * 3; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 6; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 1; i < row_width; i++) { *(--dp) = hi_filler; @@ -1949,8 +1949,8 @@ /* This changes the data from RRGGBB to XXRRGGBB */ else { - png_bytep sp = row + (png_size_t)row_width * 3; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 6; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 0; i < row_width; i++) { *(--dp) = *(--sp); diff -r -U 3 libpng-1.2.1/pngrutil.c libpng-1.2.1p/pngrutil.c --- libpng-1.2.1/pngrutil.c Wed Dec 12 17:37:22 2001 +++ libpng-1.2.1p/pngrutil.c Tue Aug 3 21:32:10 2004 @@ -38,6 +38,14 @@ # endif #endif +png_uint_32 /* PRIVATE */ +png_get_uint_31(png_structp png_ptr, png_bytep buf) +{ + png_uint_32 i = png_get_uint_32(buf); + if (i > PNG_UINT_31_MAX) + png_error(png_ptr, "PNG unsigned integer out of range.\n"); + return (i); +} #ifndef PNG_READ_BIG_ENDIAN_SUPPORTED /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */ png_uint_32 /* PRIVATE */ @@ -557,7 +565,7 @@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place gAMA chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) #if defined(PNG_READ_sRGB_SUPPORTED) && !(info_ptr->valid & PNG_INFO_sRGB) #endif @@ -638,7 +646,7 @@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place sBIT chunk"); } - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) { png_warning(png_ptr, "Duplicate sBIT chunk"); png_crc_finish(png_ptr, length); @@ -705,7 +713,7 @@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Missing PLTE before cHRM"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) #if defined(PNG_READ_sRGB_SUPPORTED) && !(info_ptr->valid & PNG_INFO_sRGB) #endif @@ -858,7 +866,7 @@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place sRGB chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) { png_warning(png_ptr, "Duplicate sRGB chunk"); png_crc_finish(png_ptr, length); @@ -954,8 +962,7 @@ png_byte compression_type; png_charp profile; png_uint_32 skip = 0; - png_uint_32 profile_size = 0; - png_uint_32 profile_length = 0; + png_uint_32 profile_size, profile_length; png_size_t slength, prefix_length, data_length; png_debug(1, "in png_handle_iCCP\n"); @@ -972,7 +979,7 @@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place iCCP chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) { png_warning(png_ptr, "Duplicate iCCP chunk"); png_crc_finish(png_ptr, length); @@ -1130,8 +1137,18 @@ } new_palette.nentries = data_length / entry_size; + if (new_palette.nentries > PNG_SIZE_MAX / sizeof(png_sPLT_entry)) + { + png_warning(png_ptr, "sPLT chunk too long"); + return; + } new_palette.entries = (png_sPLT_entryp)png_malloc( png_ptr, new_palette.nentries * sizeof(png_sPLT_entry)); + if (new_palette.entries == NULL) + { + png_warning(png_ptr, "sPLT chunk requires too much memory"); + return; + } #ifndef PNG_NO_POINTER_INDEXING for (i = 0; i < new_palette.nentries; i++) @@ -1217,7 +1234,8 @@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Missing PLTE before tRNS"); } - else if (length > (png_uint_32)png_ptr->num_palette) + if (length > (png_uint_32)png_ptr->num_palette || + length > PNG_MAX_PALETTE_LENGTH) { png_warning(png_ptr, "Incorrect tRNS chunk length"); png_crc_finish(png_ptr, length); diff -r -U 3 libpng-1.2.1/pngset.c libpng-1.2.1p/pngset.c --- libpng-1.2.1/pngset.c Wed Dec 12 17:37:22 2001 +++ libpng-1.2.1p/pngset.c Tue Aug 3 21:33:14 2004 @@ -185,6 +185,8 @@ png_error(png_ptr, "Image width or height is zero in IHDR"); if (width > PNG_MAX_UINT || height > PNG_MAX_UINT) png_error(png_ptr, "Invalid image size in IHDR"); + if (width > PNG_USER_WIDTH_MAX || height > PNG_USER_HEIGHT_MAX) + png_error(png_ptr, "image size exceeds user limits in IHDR"); /* check other values */ if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 &&