1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
|
From a901eb3ce6087e0afeef988247f1a1aa208cb54d Mon Sep 17 00:00:00 2001
From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
Date: Fri, 30 Oct 2015 07:57:49 -0500
Subject: [PATCH] [libpng16] Prevent reading over-length PLTE chunk (Cosmin
Truta).
Upstream-Status: Backport
https://github.com/glennrp/libpng/commit/a901eb3ce6087e0afeef988247f1a1aa208cb54d
Many changes involved date and version updates with don't apply in this case.
CVE: CVE-2015-8126 patch #2
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
ANNOUNCE | 6 +++---
CHANGES | 4 ++--
libpng-manual.txt | 11 +++++------
libpng.3 | 19 +++++++++----------
pngrutil.c | 3 +++
pngset.c | 13 +++++++++----
pngwutil.c | 6 +++---
7 files changed, 34 insertions(+), 28 deletions(-)
Index: libpng-1.6.17/libpng-manual.txt
===================================================================
--- libpng-1.6.17.orig/libpng-manual.txt
+++ libpng-1.6.17/libpng-manual.txt
@@ -5109,10 +5109,9 @@ length, which resulted in PNG files that
chunk. This error was fixed in libpng-1.6.3, and a tool (called
contrib/tools/png-fix-itxt) has been added to the libpng distribution.
-Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
+Starting with libpng-1.6.19, attempting to set an over-length PLTE chunk
is an error. Previously this requirement of the PNG specification was not
-enforced. Libpng continues to accept over-length PLTE chunks when reading,
-but does not make any use of the extra entries.
+enforced, and the palette was always limited to 256 entries.
XIII. Detecting libpng
Index: libpng-1.6.17/libpng.3
===================================================================
--- libpng-1.6.17.orig/libpng.3
+++ libpng-1.6.17/libpng.3
@@ -5613,10 +5613,9 @@ length, which resulted in PNG files that
chunk. This error was fixed in libpng-1.6.3, and a tool (called
contrib/tools/png-fix-itxt) has been added to the libpng distribution.
-Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
+Starting with libpng-1.6.19, attempting to set an over-length PLTE chunk
is an error. Previously this requirement of the PNG specification was not
-enforced. Libpng continues to accept over-length PLTE chunks when reading,
-but does not make any use of the extra entries.
+enforced, and the palette was always limited to 256 entries.
.SH XIII. Detecting libpng
Index: libpng-1.6.17/pngrutil.c
===================================================================
--- libpng-1.6.17.orig/pngrutil.c
+++ libpng-1.6.17/pngrutil.c
@@ -997,6 +997,9 @@ png_handle_PLTE(png_structrp png_ptr, pn
* confusing.
*
* Fix this by not sharing the palette in this way.
+ *
+ * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when
+ * it attempts to set a palette length that is too large for the bit depth.
*/
png_set_PLTE(png_ptr, info_ptr, palette, num);
Index: libpng-1.6.17/pngset.c
===================================================================
--- libpng-1.6.17.orig/pngset.c
+++ libpng-1.6.17/pngset.c
@@ -513,12 +513,17 @@ png_set_PLTE(png_structrp png_ptr, png_i
png_const_colorp palette, int num_palette)
{
+ png_uint_32 max_palette_length;
+
png_debug1(1, "in %s storage function", "PLTE");
if (png_ptr == NULL || info_ptr == NULL)
return;
- if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH)
+ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+
+ if (num_palette < 0 || num_palette > max_palette_length)
{
if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
png_error(png_ptr, "Invalid palette length");
@@ -551,8 +556,8 @@ png_set_PLTE(png_structrp png_ptr, png_i
png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
/* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
- * of num_palette entries, in case of an invalid PNG file that has
- * too-large sample values.
+ * of num_palette entries, in case of an invalid PNG file or incorrect
+ * call to png_set_PLTE() with too-large sample values.
*/
png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
Index: libpng-1.6.17/pngwutil.c
===================================================================
--- libpng-1.6.17.orig/pngwutil.c
+++ libpng-1.6.17/pngwutil.c
@@ -922,20 +922,20 @@ void /* PRIVATE */
png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
png_uint_32 num_pal)
{
- png_uint_32 max_num_pal, i;
+ png_uint_32 max_palette_length, i;
png_const_colorp pal_ptr;
png_byte buf[3];
png_debug(1, "in png_write_PLTE");
- max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
(1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
if ((
#ifdef PNG_MNG_FEATURES_SUPPORTED
(png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 &&
#endif
- num_pal == 0) || num_pal > max_num_pal)
+ num_pal == 0) || num_pal > max_palette_length)
{
if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
{
|
