| OLD | NEW |
|---|
| 1 | 1 |
| 2 /* png.c - location for general purpose libpng functions | 2 /* png.c - location for general purpose libpng functions |
| 3 * | 3 * |
| 4 * Last changed in libpng 1.6.19 [November 12, 2015] | 4 * Last changed in libpng 1.6.19 [November 12, 2015] |
| 5 * Copyright (c) 1998-2002,2004,2006-2015 Glenn Randers-Pehrson | 5 * Copyright (c) 1998-2002,2004,2006-2015 Glenn Randers-Pehrson |
| 6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) | 6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) |
| 7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) | 7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) |
| 8 * | 8 * |
| 9 * This code is released under the libpng license. | 9 * This code is released under the libpng license. |
| 10 * For conditions of distribution and use, see the disclaimer | 10 * For conditions of distribution and use, see the disclaimer |
| (...skipping 1913 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1924 | 1924 |
| 1925 #ifdef PNG_iCCP_SUPPORTED | 1925 #ifdef PNG_iCCP_SUPPORTED |
| 1926 /* Encoded value of D50 as an ICC XYZNumber. From the ICC 2010 spec the value | 1926 /* Encoded value of D50 as an ICC XYZNumber. From the ICC 2010 spec the value |
| 1927 * is XYZ(0.9642,1.0,0.8249), which scales to: | 1927 * is XYZ(0.9642,1.0,0.8249), which scales to: |
| 1928 * | 1928 * |
| 1929 * (63189.8112, 65536, 54060.6464) | 1929 * (63189.8112, 65536, 54060.6464) |
| 1930 */ | 1930 */ |
| 1931 static const png_byte D50_nCIEXYZ[12] = | 1931 static const png_byte D50_nCIEXYZ[12] = |
| 1932 { 0x00, 0x00, 0xf6, 0xd6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d }; | 1932 { 0x00, 0x00, 0xf6, 0xd6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d }; |
| 1933 | 1933 |
| 1934 int /* PRIVATE */ | 1934 static int /* bool */ |
| 1935 png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace, | 1935 icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace, |
| 1936 png_const_charp name, png_uint_32 profile_length) | 1936 png_const_charp name, png_uint_32 profile_length) |
| 1937 { | 1937 { |
| 1938 if (profile_length < 132) | 1938 if (profile_length < 132) |
| 1939 return png_icc_profile_error(png_ptr, colorspace, name, profile_length, | 1939 return png_icc_profile_error(png_ptr, colorspace, name, profile_length, |
| 1940 "too short"); | 1940 "too short"); |
| 1941 | 1941 |
| 1942 return 1; | 1942 return 1; |
| 1943 } | 1943 } |
| 1944 | 1944 |
| 1945 #ifdef PNG_READ_iCCP_SUPPORTED |
| 1946 int /* PRIVATE */ |
| 1947 png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace, |
| 1948 png_const_charp name, png_uint_32 profile_length) |
| 1949 { |
| 1950 if (!icc_check_length(png_ptr, colorspace, name, profile_length)) |
| 1951 return 0; |
| 1952 |
| 1953 /* This needs to be here because the 'normal' check is in |
| 1954 * png_decompress_chunk, yet this happens after the attempt to |
| 1955 * png_malloc_base the required data. We only need this on read; on write |
| 1956 * the caller supplies the profile buffer so libpng doesn't allocate it. See |
| 1957 * the call to icc_check_length below (the write case). |
| 1958 */ |
| 1959 # ifdef PNG_SET_USER_LIMITS_SUPPORTED |
| 1960 else if (png_ptr->user_chunk_malloc_max > 0 && |
| 1961 png_ptr->user_chunk_malloc_max < profile_length) |
| 1962 return png_icc_profile_error(png_ptr, colorspace, name, profile_length, |
| 1963 "exceeds application limits"); |
| 1964 # elif PNG_USER_CHUNK_MALLOC_MAX > 0 |
| 1965 else if (PNG_USER_CHUNK_MALLOC_MAX < profile_length) |
| 1966 return png_icc_profile_error(png_ptr, colorspace, name, profile_length, |
| 1967 "exceeds libpng limits"); |
| 1968 # else /* !SET_USER_LIMITS */ |
| 1969 /* This will get compiled out on all 32-bit and better systems. */ |
| 1970 else if (PNG_SIZE_MAX < profile_length) |
| 1971 return png_icc_profile_error(png_ptr, colorspace, name, profile_length, |
| 1972 "exceeds system limits"); |
| 1973 # endif /* !SET_USER_LIMITS */ |
| 1974 |
| 1975 return 1; |
| 1976 } |
| 1977 #endif /* READ_iCCP */ |
| 1978 |
| 1945 int /* PRIVATE */ | 1979 int /* PRIVATE */ |
| 1946 png_icc_check_header(png_const_structrp png_ptr, png_colorspacerp colorspace, | 1980 png_icc_check_header(png_const_structrp png_ptr, png_colorspacerp colorspace, |
| 1947 png_const_charp name, png_uint_32 profile_length, | 1981 png_const_charp name, png_uint_32 profile_length, |
| 1948 png_const_bytep profile/* first 132 bytes only */, int color_type) | 1982 png_const_bytep profile/* first 132 bytes only */, int color_type) |
| 1949 { | 1983 { |
| 1950 png_uint_32 temp; | 1984 png_uint_32 temp; |
| 1951 | 1985 |
| 1952 /* Length check; this cannot be ignored in this code because profile_length | 1986 /* Length check; this cannot be ignored in this code because profile_length |
| 1953 * is used later to check the tag table, so even if the profile seems over | 1987 * is used later to check the tag table, so even if the profile seems over |
| 1954 * long profile_length from the caller must be correct. The caller can fix | 1988 * long profile_length from the caller must be correct. The caller can fix |
| (...skipping 417 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2372 #endif /* sRGB */ | 2406 #endif /* sRGB */ |
| 2373 | 2407 |
| 2374 int /* PRIVATE */ | 2408 int /* PRIVATE */ |
| 2375 png_colorspace_set_ICC(png_const_structrp png_ptr, png_colorspacerp colorspace, | 2409 png_colorspace_set_ICC(png_const_structrp png_ptr, png_colorspacerp colorspace, |
| 2376 png_const_charp name, png_uint_32 profile_length, png_const_bytep profile, | 2410 png_const_charp name, png_uint_32 profile_length, png_const_bytep profile, |
| 2377 int color_type) | 2411 int color_type) |
| 2378 { | 2412 { |
| 2379 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0) | 2413 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0) |
| 2380 return 0; | 2414 return 0; |
| 2381 | 2415 |
| 2382 if (png_icc_check_length(png_ptr, colorspace, name, profile_length) != 0 && | 2416 if (icc_check_length(png_ptr, colorspace, name, profile_length) != 0 && |
| 2383 png_icc_check_header(png_ptr, colorspace, name, profile_length, profile, | 2417 png_icc_check_header(png_ptr, colorspace, name, profile_length, profile, |
| 2384 color_type) != 0 && | 2418 color_type) != 0 && |
| 2385 png_icc_check_tag_table(png_ptr, colorspace, name, profile_length, | 2419 png_icc_check_tag_table(png_ptr, colorspace, name, profile_length, |
| 2386 profile) != 0) | 2420 profile) != 0) |
| 2387 { | 2421 { |
| 2388 # ifdef PNG_sRGB_SUPPORTED | 2422 # ifdef PNG_sRGB_SUPPORTED |
| 2389 /* If no sRGB support, don't try storing sRGB information */ | 2423 /* If no sRGB support, don't try storing sRGB information */ |
| 2390 png_icc_set_sRGB(png_ptr, colorspace, profile, 0); | 2424 png_icc_set_sRGB(png_ptr, colorspace, profile, 0); |
| 2391 # endif | 2425 # endif |
| 2392 return 1; | 2426 return 1; |
| (...skipping 2097 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 4490 { | 4524 { |
| 4491 /* Utility to log an error. */ | 4525 /* Utility to log an error. */ |
| 4492 png_safecat(image->message, (sizeof image->message), 0, error_message); | 4526 png_safecat(image->message, (sizeof image->message), 0, error_message); |
| 4493 image->warning_or_error |= PNG_IMAGE_ERROR; | 4527 image->warning_or_error |= PNG_IMAGE_ERROR; |
| 4494 png_image_free(image); | 4528 png_image_free(image); |
| 4495 return 0; | 4529 return 0; |
| 4496 } | 4530 } |
| 4497 | 4531 |
| 4498 #endif /* SIMPLIFIED READ/WRITE */ | 4532 #endif /* SIMPLIFIED READ/WRITE */ |
| 4499 #endif /* READ || WRITE */ | 4533 #endif /* READ || WRITE */ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2939383002:
libpng: Reject oversized iCCP profile length (Closed)
