[libpng16] Avoid a harmless potential integer overflow in png_XYZ_from_xy().

d46b5709 · Glenn Randers-Pehrson · 918d23f6 · d46b5709 · d46b5709 · d46b5709
隐藏空白更改
内联并排

Showing with 33 addition and 24 deletion

ANNOUNCE ANNOUNCE +3 -2

CHANGES CHANGES +21 -14

png.c png.c +9 -8

未找到文件。
--- a/ANNOUNCE
+++ b/ANNOUNCE
-Libpng 1.6.18beta04 - May 9, 2015
+Libpng 1.6.18beta04 - May 20, 2015

 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -46,11 +46,12 @@ Version 1.6.18beta03 [May 6, 2015]
    and an example PNG generation tool, contrib/examples/genpng.c
    (John Bowler).

-Version 1.6.18beta04 [May 9, 2015]
+Version 1.6.18beta04 [May 20, 2015]
  PNG_RELEASE_BUILD replaces tests where the code depended on the build base
    type and can be defined on the command line, allowing testing in beta
    builds (John Bowler).
  Avoid Coverity issue 80858 (REVERSE NULL) in pngtest.c
+  Avoid a harmless potential integer overflow in png_XYZ_from_xy().

 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

--- a/CHANGES
+++ b/CHANGES
-
+#if 0
 CHANGES - changes for libpng

-Version 0.2
+version 0.1 [March 29, 1995]
+  initial work-in-progress release
+
+version 0.2 [April 1, 1995]
  added reader into png.h
  fixed small problems in stub file

-Version 0.3
+version 0.3 [April 8, 1995]
  added pull reader
  split up pngwrite.c to several files
  added pnglib.txt
@@ -14,9 +17,9 @@ Version 0.3
  fixed some bugs in writer
  interfaced with zlib 0.5
  added K&R support
-  added check for 64 KB blocks for 16-bit machines
+  added check for 64 KB blocks for 16 bit machines

-Version 0.4
+version 0.4 [April 26, 1995]
  cleaned up code and commented code
  simplified time handling into png_time
  created png_color_16 and png_color_8 to handle color needs
@@ -27,28 +30,29 @@ Version 0.4
  cleaned up zTXt reader and writer (using zlib's Reset functions)
  split transformations into pngrtran.c and pngwtran.c

-Version 0.5
+version 0.5 [April 30, 1995]
  interfaced with zlib 0.8
  fixed many reading and writing bugs
  saved using 3 spaces instead of tabs

-Version 0.6
+version 0.6 [May 1, 1995]
+  first beta release
  added png_large_malloc() and png_large_free()
  added png_size_t
  cleaned up some compiler warnings
  added png_start_read_image()

-Version 0.7
+version 0.7 [June 24, 1995]
  cleaned up lots of bugs
  finished dithering and other stuff
  added test program
  changed name from pnglib to libpng

-Version 0.71 [June, 1995]
+version 0.71 [June 26, 1995]
  changed pngtest.png for zlib 0.93
  fixed error in libpng.txt and example.c

-Version 0.8
+version 0.8 [August 20, 1995]
  cleaned up some bugs
  added png_set_filler()
  split up pngstub.c into pngmem.c, pngio.c, and pngerror.c
@@ -1449,8 +1453,9 @@ Version 1.2.6beta4 [July 28, 2004]
  Use png_malloc instead of png_zalloc to allocate the pallete.

 Version 1.0.16rc1 and 1.2.6rc1 [August 4, 2004]
-  Fixed buffer overflow vulnerability in png_handle_tRNS()
-  Fixed integer arithmetic overflow vulnerability in png_read_png().
+  Fixed buffer overflow vulnerability (CVE-2004-0597) in png_handle_tRNS().
+  Fixed NULL dereference vulnerability (CVE-2004-0598) in png_handle_iCCP().
+  Fixed integer overflow vulnerability (CVE-2004-0599) in png_read_png().
  Fixed some harmless bugs in png_handle_sBIT, etc, that would cause
    duplicate chunk types to go undetected.
  Fixed some timestamps in the -config version
@@ -5226,11 +5231,12 @@ Version 1.6.18beta03 [May 6, 2015]
    and an example PNG generation tool, contrib/examples/genpng.c
    (John Bowler).

-Version 1.6.18beta04 [May 9, 2015]
+Version 1.6.18beta04 [May 20, 2015]
  PNG_RELEASE_BUILD replaces tests where the code depended on the build base
    type and can be defined on the command line, allowing testing in beta
    builds (John Bowler).
-  Avoid Coverity issue 80858 (REVERSE NULL) in pngtest.c
+  Avoid Coverity issue 80858 (REVERSE NULL) in pngtest.c PNG_DEBUG builds.
+  Avoid a harmless potential integer overflow in png_XYZ_from_xy().

 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
@@ -5239,3 +5245,4 @@ to subscribe)
 or to glennrp at users.sourceforge.net

 Glenn R-P
+#endif
--- a/png.c
+++ b/png.c
@@ -766,13 +766,13 @@ png_get_copyright(png_const_structrp png_ptr)
 #else
 #  ifdef __STDC__
   return PNG_STRING_NEWLINE \
-     "libpng version 1.6.18beta04 - May 9, 2015" PNG_STRING_NEWLINE \
+     "libpng version 1.6.18beta04 - May 20, 2015" PNG_STRING_NEWLINE \
     "Copyright (c) 1998-2015 Glenn Randers-Pehrson" PNG_STRING_NEWLINE \
     "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
     "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
     PNG_STRING_NEWLINE;
 #  else
-      return "libpng version 1.6.18beta04 - May 9, 2015\
+      return "libpng version 1.6.18beta04 - May 20, 2015\
      Copyright (c) 1998-2015 Glenn Randers-Pehrson\
      Copyright (c) 1996-1997 Andreas Dilger\
      Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.";
@@ -1235,16 +1235,17 @@ png_XYZ_from_xy(png_XYZ *XYZ, const png_xy *xy)

   /* Check xy and, implicitly, z.  Note that wide gamut color spaces typically
    * have end points with 0 tristimulus values (these are impossible end
-    * points, but they are used to cover the possible colors.)
+    * points, but they are used to cover the possible colors).  We check
+    * xy->whitey against 5, not 0, to avoid a possible integer overflow.
    */
-   if (xy->redx < 0 || xy->redx > PNG_FP_1) return 1;
-   if (xy->redy < 0 || xy->redy > PNG_FP_1-xy->redx) return 1;
+   if (xy->redx   < 0 || xy->redx > PNG_FP_1) return 1;
+   if (xy->redy   < 0 || xy->redy > PNG_FP_1-xy->redx) return 1;
   if (xy->greenx < 0 || xy->greenx > PNG_FP_1) return 1;
   if (xy->greeny < 0 || xy->greeny > PNG_FP_1-xy->greenx) return 1;
-   if (xy->bluex < 0 || xy->bluex > PNG_FP_1) return 1;
-   if (xy->bluey < 0 || xy->bluey > PNG_FP_1-xy->bluex) return 1;
+   if (xy->bluex  < 0 || xy->bluex > PNG_FP_1) return 1;
+   if (xy->bluey  < 0 || xy->bluey > PNG_FP_1-xy->bluex) return 1;
   if (xy->whitex < 0 || xy->whitex > PNG_FP_1) return 1;
-   if (xy->whitey < 0 || xy->whitey > PNG_FP_1-xy->whitex) return 1;
+   if (xy->whitey < 5 || xy->whitey > PNG_FP_1-xy->whitex) return 1;

   /* The reverse calculation is more difficult because the original tristimulus
    * value had 9 independent values (red,green,blue)x(X,Y,Z) however only 8