Attachment #22160 for bug #58008

View | Details | Raw Unified | Return to bug 58008
Collapse All | Expand All

Lines 835-840 Link Here

(-)libpng-1.2.5/png.h (+3 lines)
835	/* Maximum positive integer used in PNG is (2^31)-1 */	835	/* Maximum positive integer used in PNG is (2^31)-1 */
836	#define PNG_MAX_UINT ((png_uint_32)0x7fffffffL)	836	#define PNG_MAX_UINT ((png_uint_32)0x7fffffffL)
		837	/* Constraints on width, height, (2 ^ 24) - 1*/
		838	#define PNG_MAX_DIMENSION 16777215
		839
837	/* These describe the color_type field in png_info. */	840	/* These describe the color_type field in png_info. */
838	/* color type masks */	841	/* color type masks */
839	#define PNG_COLOR_MASK_PALETTE 1	842	#define PNG_COLOR_MASK_PALETTE 1

Lines 209-214 Link Here

(-)libpng-1.2.5/pngpread.c (+4 lines)
209	png_push_fill_buffer(png_ptr, chunk_length, 4);	209	png_push_fill_buffer(png_ptr, chunk_length, 4);
210	png_ptr->push_length = png_get_uint_32(chunk_length);	210	png_ptr->push_length = png_get_uint_32(chunk_length);
		211	if (png_ptr->push_length > PNG_MAX_UINT)
		212	png_error(png_ptr, "Invalid chunk length.");
211	png_reset_crc(png_ptr);	213	png_reset_crc(png_ptr);
212	png_crc_read(png_ptr, png_ptr->chunk_name, 4);	214	png_crc_read(png_ptr, png_ptr->chunk_name, 4);
213	png_ptr->mode \|= PNG_HAVE_CHUNK_HEADER;	215	png_ptr->mode \|= PNG_HAVE_CHUNK_HEADER;
Lines 638-643 Link Here
638	png_push_fill_buffer(png_ptr, chunk_length, 4);	640	png_push_fill_buffer(png_ptr, chunk_length, 4);
639	png_ptr->push_length = png_get_uint_32(chunk_length);	641	png_ptr->push_length = png_get_uint_32(chunk_length);
		642	if (png_ptr->push_length > PNG_MAX_UINT)
		643	png_error(png_ptr, "Invalid chunk length.");
640	png_reset_crc(png_ptr);	644	png_reset_crc(png_ptr);
641	png_crc_read(png_ptr, png_ptr->chunk_name, 4);	645	png_crc_read(png_ptr, png_ptr->chunk_name, 4);

Lines 350-356 Link Here

(-)libpng-1.2.5/pngrutil.c (-5 / +13 lines)
350	png_crc_finish(png_ptr, 0);	350	png_crc_finish(png_ptr, 0);
351	width = png_get_uint_32(buf);	351	width = png_get_uint_32(buf);
		352	if (width > PNG_MAX_DIMENSION)
		353	png_error(png_ptr, "Width is too large");
352	height = png_get_uint_32(buf + 4);	354	height = png_get_uint_32(buf + 4);
		355	if (height > PNG_MAX_DIMENSION)
		356	png_error(png_ptr, "Height is too large");
353	bit_depth = buf[8];	357	bit_depth = buf[8];
354	color_type = buf[9];	358	color_type = buf[9];
355	compression_type = buf[10];	359	compression_type = buf[10];
Lines 675-681 Link Here
675	else	679	else
676	truelen = (png_size_t)png_ptr->channels;	680	truelen = (png_size_t)png_ptr->channels;
677	if (length != truelen)	681	if (length != truelen \|\| length > 4)
678	{	682	{
679	png_warning(png_ptr, "Incorrect sBIT chunk length");	683	png_warning(png_ptr, "Incorrect sBIT chunk length");
680	png_crc_finish(png_ptr, length);	684	png_crc_finish(png_ptr, length);
Lines 1244-1250 Link Here
1244	/* Should be an error, but we can cope with it */	1248	/* Should be an error, but we can cope with it */
1245	png_warning(png_ptr, "Missing PLTE before tRNS");	1249	png_warning(png_ptr, "Missing PLTE before tRNS");
1246	}	1250	}
1247	else if (length > (png_uint_32)png_ptr->num_palette)	1251	if (length > (png_uint_32)png_ptr->num_palette \|\|
		1252	length > PNG_MAX_PALETTE_LENGTH)
1248	{	1253	{
1249	png_warning(png_ptr, "Incorrect tRNS chunk length");	1254	png_warning(png_ptr, "Incorrect tRNS chunk length");
1250	png_crc_finish(png_ptr, length);	1255	png_crc_finish(png_ptr, length);
Lines 1400-1406 Link Here
1400	void /* PRIVATE */	1405	void /* PRIVATE */
1401	png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)	1406	png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
1402	{	1407	{
1403	int num, i;	1408	unsigned int num, i;
1404	png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH];	1409	png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH];
1405	png_debug(1, "in png_handle_hIST\n");	1410	png_debug(1, "in png_handle_hIST\n");
Lines 1426-1433 Link Here
1426	return;	1431	return;
1427	}	1432	}
1428	num = (int)length / 2 ;	1433	num = length / 2 ;
1429	if (num != png_ptr->num_palette)	1434	if (num != png_ptr->num_palette \|\| num > PNG_MAX_PALETTE_LENGTH)
1430	{	1435	{
1431	png_warning(png_ptr, "Incorrect hIST chunk length");	1436	png_warning(png_ptr, "Incorrect hIST chunk length");
1432	png_crc_finish(png_ptr, length);	1437	png_crc_finish(png_ptr, length);
Lines 2868-2873 Link Here
2868	png_read_data(png_ptr, chunk_length, 4);	2873	png_read_data(png_ptr, chunk_length, 4);
2869	png_ptr->idat_size = png_get_uint_32(chunk_length);	2874	png_ptr->idat_size = png_get_uint_32(chunk_length);
		2875	if (png_ptr->idat_size > PNG_MAX_UINT)
		2876	png_error(png_ptr, "Invalid chunk length.");
		2877
2870	png_reset_crc(png_ptr);	2878	png_reset_crc(png_ptr);
2871	png_crc_read(png_ptr, png_ptr->chunk_name, 4);	2879	png_crc_read(png_ptr, png_ptr->chunk_name, 4);
2872	if (png_memcmp(png_ptr->chunk_name, (png_bytep)png_IDAT, 4))	2880	if (png_memcmp(png_ptr->chunk_name, (png_bytep)png_IDAT, 4))

Return to bug 58008