diff -r -U 3 libpng-1.0.3/png.h libpng-1.0.3p/png.h
--- libpng-1.0.3/png.h Wed Jan 13 22:06:39 1999
+++ libpng-1.0.3p/png.h Tue Aug 3 21:27:07 2004
@@ -460,6 +460,11 @@
typedef png_info FAR * png_infop;
typedef png_info FAR * FAR * png_infopp;
+/* Maximum positive integer used in PNG is (2^31)-1 */
+#define PNG_UINT_31_MAX ((png_uint_32)0x7fffffffL)
+#define PNG_UINT_32_MAX (~((png_uint_32)0))
+#define PNG_SIZE_MAX (~((png_size_t)0))
+
/* These describe the color_type field in png_info. */
/* color type masks */
#define PNG_COLOR_MASK_PALETTE 1
@@ -1749,6 +1754,8 @@
PNG_EXTERN png_uint_32 png_get_uint_32 PNGARG((png_bytep buf));
PNG_EXTERN png_uint_16 png_get_uint_16 PNGARG((png_bytep buf));
#endif /* PNG_READ_BIG_ENDIAN_SUPPORTED */
+PNG_EXTERN png_uint_32 png_get_uint_31 PNGARG((png_structp png_ptr,
+ png_bytep buf));
/* Initialize png_ptr struct for reading, and allocate any other memory.
* (old interface - NOT DLL EXPORTED).
diff -r -U 3 libpng-1.0.3/pngconf.h libpng-1.0.3p/pngconf.h
--- libpng-1.0.3/pngconf.h Wed Jan 13 22:06:39 1999
+++ libpng-1.0.3p/pngconf.h Tue Aug 3 21:27:14 2004
@@ -408,6 +408,13 @@
#define PNG_EASY_ACCESS_SUPPORTED
#endif
+#ifndef PNG_USER_WIDTH_MAX
+# define PNG_USER_WIDTH_MAX 1000000L
+#endif
+#ifndef PNG_USER_HEIGHT_MAX
+# define PNG_USER_HEIGHT_MAX 1000000L
+#endif
+
/* These are currently experimental features, define them if you want */
/* very little testing */
diff -r -U 3 libpng-1.0.3/pngpread.c libpng-1.0.3p/pngpread.c
--- libpng-1.0.3/pngpread.c Wed Jan 13 22:06:39 1999
+++ libpng-1.0.3p/pngpread.c Tue Aug 3 21:27:07 2004
@@ -133,7 +133,7 @@
}
png_push_fill_buffer(png_ptr, chunk_length, 4);
- png_ptr->push_length = png_get_uint_32(chunk_length);
+ png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length);
png_reset_crc(png_ptr);
png_crc_read(png_ptr, png_ptr->chunk_name, 4);
png_ptr->flags |= PNG_FLAG_HAVE_CHUNK_HEADER;
@@ -464,6 +464,11 @@
png_size_t new_max;
png_bytep old_buffer;
+ if (png_ptr->save_buffer_size > PNG_SIZE_MAX -
+ (png_ptr->current_buffer_size + 256))
+ {
+ png_error(png_ptr, "Potential overflow of save_buffer");
+ }
new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256;
old_buffer = png_ptr->save_buffer;
png_ptr->save_buffer = (png_bytep)png_malloc(png_ptr,
@@ -507,8 +512,7 @@
}
png_push_fill_buffer(png_ptr, chunk_length, 4);
- png_ptr->push_length = png_get_uint_32(chunk_length);
-
+ png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length);
png_reset_crc(png_ptr);
png_crc_read(png_ptr, png_ptr->chunk_name, 4);
png_ptr->flags |= PNG_FLAG_HAVE_CHUNK_HEADER;
diff -r -U 3 libpng-1.0.3/pngread.c libpng-1.0.3p/pngread.c
--- libpng-1.0.3/pngread.c Wed Jan 13 22:06:39 1999
+++ libpng-1.0.3p/pngread.c Tue Aug 3 21:27:07 2004
@@ -183,7 +183,7 @@
png_uint_32 length;
png_read_data(png_ptr, chunk_length, 4);
- length = png_get_uint_32(chunk_length);
+ length = png_get_uint_31(png_ptr,chunk_length);
png_reset_crc(png_ptr);
png_crc_read(png_ptr, png_ptr->chunk_name, 4);
@@ -428,7 +428,7 @@
png_crc_finish(png_ptr, 0);
png_read_data(png_ptr, chunk_length, 4);
- png_ptr->idat_size = png_get_uint_32(chunk_length);
+ png_ptr->idat_size = png_get_uint_31(png_ptr,chunk_length);
png_reset_crc(png_ptr);
png_crc_read(png_ptr, png_ptr->chunk_name, 4);
@@ -623,7 +623,7 @@
do
{
png_read_data(png_ptr, chunk_length, 4);
- length = png_get_uint_32(chunk_length);
+ length = png_get_uint_31(png_ptr,chunk_length);
png_reset_crc(png_ptr);
png_crc_read(png_ptr, png_ptr->chunk_name, 4);
diff -r -U 3 libpng-1.0.3/pngrtran.c libpng-1.0.3p/pngrtran.c
--- libpng-1.0.3/pngrtran.c Wed Jan 13 22:06:39 1999
+++ libpng-1.0.3p/pngrtran.c Tue Aug 3 21:27:08 2004
@@ -1724,8 +1724,8 @@
/* This changes the data from GG to GGXX */
if (flags & PNG_FLAG_FILLER_AFTER)
{
- png_bytep sp = row + (png_size_t)row_width;
- png_bytep dp = sp + (png_size_t)row_width;
+ png_bytep sp = row + (png_size_t)row_width * 2;
+ png_bytep dp = sp + (png_size_t)row_width * 2;
for (i = 1; i < row_width; i++)
{
*(--dp) = hi_filler;
@@ -1742,8 +1742,8 @@
/* This changes the data from GG to XXGG */
else
{
- png_bytep sp = row + (png_size_t)row_width;
- png_bytep dp = sp + (png_size_t)row_width;
+ png_bytep sp = row + (png_size_t)row_width * 2;
+ png_bytep dp = sp + (png_size_t)row_width * 2;
for (i = 0; i < row_width; i++)
{
*(--dp) = *(--sp);
@@ -1800,8 +1800,8 @@
/* This changes the data from RRGGBB to RRGGBBXX */
if (flags & PNG_FLAG_FILLER_AFTER)
{
- png_bytep sp = row + (png_size_t)row_width * 3;
- png_bytep dp = sp + (png_size_t)row_width;
+ png_bytep sp = row + (png_size_t)row_width * 6;
+ png_bytep dp = sp + (png_size_t)row_width * 2;
for (i = 1; i < row_width; i++)
{
*(--dp) = hi_filler;
@@ -1822,8 +1822,8 @@
/* This changes the data from RRGGBB to XXRRGGBB */
else
{
- png_bytep sp = row + (png_size_t)row_width * 3;
- png_bytep dp = sp + (png_size_t)row_width;
+ png_bytep sp = row + (png_size_t)row_width * 6;
+ png_bytep dp = sp + (png_size_t)row_width * 2;
for (i = 0; i < row_width; i++)
{
*(--dp) = *(--sp);
diff -r -U 3 libpng-1.0.3/pngrutil.c libpng-1.0.3p/pngrutil.c
--- libpng-1.0.3/pngrutil.c Wed Jan 13 22:06:39 1999
+++ libpng-1.0.3p/pngrutil.c Tue Aug 3 21:27:08 2004
@@ -14,6 +14,14 @@
#define PNG_INTERNAL
#include "png.h"
+png_uint_32 /* PRIVATE */
+png_get_uint_31(png_structp png_ptr, png_bytep buf)
+{
+ png_uint_32 i = png_get_uint_32(buf);
+ if (i > PNG_UINT_31_MAX)
+ png_error(png_ptr, "PNG unsigned integer out of range.\n");
+ return (i);
+}
#ifndef PNG_READ_BIG_ENDIAN_SUPPORTED
/* Grab an unsigned 32-bit integer from a buffer in big-endian format. */
png_uint_32
@@ -750,7 +758,8 @@
/* Should be an error, but we can cope with it */
png_warning(png_ptr, "Missing PLTE before tRNS");
}
- else if (length > png_ptr->num_palette)
+ if (length > (png_uint_32)png_ptr->num_palette ||
+ length > 256)
{
png_warning(png_ptr, "Incorrect tRNS chunk length");
png_crc_finish(png_ptr, length);
diff -r -U 3 libpng-1.0.3/pngset.c libpng-1.0.3p/pngset.c
--- libpng-1.0.3/pngset.c Wed Jan 13 22:06:39 1999
+++ libpng-1.0.3p/pngset.c Tue Aug 3 21:27:15 2004
@@ -88,6 +88,9 @@
if (png_ptr == NULL || info_ptr == NULL)
return;
+ if (width > PNG_USER_WIDTH_MAX || height > PNG_USER_HEIGHT_MAX)
+ png_error(png_ptr, "image size exceeds user limits in IHDR");
+
info_ptr->width = width;
info_ptr->height = height;
info_ptr->bit_depth = (png_byte)bit_depth;