diff options
Diffstat (limited to 'libpng/contrib/gregbook')
-rw-r--r-- | libpng/contrib/gregbook/README | 4 | ||||
-rw-r--r-- | libpng/contrib/gregbook/readpng.c | 8 | ||||
-rw-r--r-- | libpng/contrib/gregbook/readpng2.c | 1 | ||||
-rw-r--r-- | libpng/contrib/gregbook/readppm.c | 13 | ||||
-rw-r--r-- | libpng/contrib/gregbook/rpng-win.c | 9 | ||||
-rw-r--r-- | libpng/contrib/gregbook/rpng-x.c | 3 | ||||
-rw-r--r-- | libpng/contrib/gregbook/rpng2-win.c | 12 | ||||
-rw-r--r-- | libpng/contrib/gregbook/rpng2-x.c | 11 | ||||
-rw-r--r-- | libpng/contrib/gregbook/wpng.c | 16 | ||||
-rw-r--r-- | libpng/contrib/gregbook/writepng.c | 2 |
10 files changed, 63 insertions, 16 deletions
diff --git a/libpng/contrib/gregbook/README b/libpng/contrib/gregbook/README index fd30f0581..90e28f7ce 100644 --- a/libpng/contrib/gregbook/README +++ b/libpng/contrib/gregbook/README @@ -55,7 +55,7 @@ mation and links to the latest version of the source code, and Chapters 13-15 of the book for detailed discussion of the three programs. Greg Roelofs -http://pobox.com/~newt/greg_contact.html +https://pobox.com/~newt/greg_contact.html 16 March 2008 @@ -63,7 +63,7 @@ BUILD INSTRUCTIONS - Prerequisites (in order of compilation): - - zlib http://zlib.net/ + - zlib https://zlib.net/ - libpng http://www.libpng.org/pub/png/libpng.html - pngbook http://www.libpng.org/pub/png/book/sources.html diff --git a/libpng/contrib/gregbook/readpng.c b/libpng/contrib/gregbook/readpng.c index 9167403e5..fad9b536a 100644 --- a/libpng/contrib/gregbook/readpng.c +++ b/libpng/contrib/gregbook/readpng.c @@ -4,7 +4,7 @@ --------------------------------------------------------------------------- - Copyright (c) 1998-2007 Greg Roelofs. All rights reserved. + Copyright (c) 1998-2007,2017 Greg Roelofs. All rights reserved. This software is provided "as is," without warranty of any kind, express or implied. In no event shall the author or contributors @@ -264,6 +264,12 @@ uch *readpng_get_image(double display_exponent, int *pChannels, ulg *pRowbytes) *pRowbytes = rowbytes = png_get_rowbytes(png_ptr, info_ptr); *pChannels = (int)png_get_channels(png_ptr, info_ptr); + /* Guard against integer overflow */ + if (height > ((size_t)(-1))/rowbytes) { + fprintf(stderr, "readpng: image_data buffer would be too large\n", + return NULL; + } + if ((image_data = (uch *)malloc(rowbytes*height)) == NULL) { png_destroy_read_struct(&png_ptr, &info_ptr, NULL); return NULL; diff --git a/libpng/contrib/gregbook/readpng2.c b/libpng/contrib/gregbook/readpng2.c index 4d5e38fe2..5d13e1530 100644 --- a/libpng/contrib/gregbook/readpng2.c +++ b/libpng/contrib/gregbook/readpng2.c @@ -55,6 +55,7 @@ Changelog: 2015-11-12 - Check return value of png_get_bKGD() (Glenn R-P) + 2017-04-22 - Guard against integer overflow (Glenn R-P) ---------------------------------------------------------------------------*/ diff --git a/libpng/contrib/gregbook/readppm.c b/libpng/contrib/gregbook/readppm.c index 7fefc3943..52e702777 100644 --- a/libpng/contrib/gregbook/readppm.c +++ b/libpng/contrib/gregbook/readppm.c @@ -9,7 +9,7 @@ --------------------------------------------------------------------------- - Copyright (c) 1998-2007 Greg Roelofs. All rights reserved. + Copyright (c) 1998-2007,2017 Greg Roelofs. All rights reserved. This software is provided "as is," without warranty of any kind, express or implied. In no event shall the author or contributors @@ -154,12 +154,17 @@ uch *readpng_get_image(double display_exponent, int *pChannels, ulg *pRowbytes) *pRowbytes = rowbytes = channels*width; *pChannels = channels; - if ((image_data = (uch *)malloc(rowbytes*height)) == NULL) { + Trace((stderr, "readpng_get_image: rowbytes = %ld, height = %ld\n", rowbytes, height)); + + /* Guard against integer overflow */ + if (height > ((size_t)(-1))/rowbytes) { + fprintf(stderr, PROGNAME ": image_data buffer would be too large\n", return NULL; } - Trace((stderr, "readpng_get_image: rowbytes = %ld, height = %ld\n", rowbytes, height)); - + if ((image_data = (uch *)malloc(rowbytes*height)) == NULL) { + return NULL; + } /* now we can go ahead and just read the whole image */ diff --git a/libpng/contrib/gregbook/rpng-win.c b/libpng/contrib/gregbook/rpng-win.c index cd5543937..1a6f87615 100644 --- a/libpng/contrib/gregbook/rpng-win.c +++ b/libpng/contrib/gregbook/rpng-win.c @@ -24,10 +24,11 @@ - 1.10: enabled "message window"/console (thanks to David Geldreich) - 2.00: dual-licensed (added GNU GPL) - 2.01: fixed improper display of usage screen on PNG error(s) + - 2.02: check for integer overflow (Glenn R-P) --------------------------------------------------------------------------- - Copyright (c) 1998-2008 Greg Roelofs. All rights reserved. + Copyright (c) 1998-2008, 2017 Greg Roelofs. All rights reserved. This software is provided "as is," without warranty of any kind, express or implied. In no event shall the author or contributors @@ -496,6 +497,12 @@ static int rpng_win_create_window(HINSTANCE hInst, int showmode) wimage_rowbytes = ((3*image_width + 3L) >> 2) << 2; + /* Guard against integer overflow */ + if (image_height > ((size_t)(-1))/wimage_rowbytes) { + fprintf(stderr, PROGNAME ": image_data buffer would be too large\n"); + return 4; /* fail */ + } + if (!(dib = (uch *)malloc(sizeof(BITMAPINFOHEADER) + wimage_rowbytes*image_height))) { diff --git a/libpng/contrib/gregbook/rpng-x.c b/libpng/contrib/gregbook/rpng-x.c index ddd7c58d6..92effaa6d 100644 --- a/libpng/contrib/gregbook/rpng-x.c +++ b/libpng/contrib/gregbook/rpng-x.c @@ -28,10 +28,11 @@ - 2.01: fixed improper display of usage screen on PNG error(s) - 2.02: Added "void(argc);" statement to quiet pedantic compiler warnings about unused variable (GR-P) + - 2.03: check for integer overflow (Glenn R-P) --------------------------------------------------------------------------- - Copyright (c) 1998-2008 Greg Roelofs. All rights reserved. + Copyright (c) 1998-2008, 2017 Greg Roelofs. All rights reserved. This software is provided "as is," without warranty of any kind, express or implied. In no event shall the author or contributors diff --git a/libpng/contrib/gregbook/rpng2-win.c b/libpng/contrib/gregbook/rpng2-win.c index c924c1c6c..ed6b526ec 100644 --- a/libpng/contrib/gregbook/rpng2-win.c +++ b/libpng/contrib/gregbook/rpng2-win.c @@ -33,12 +33,11 @@ - 2.02: fixed improper display of usage screen on PNG error(s); fixed unexpected-EOF and file-read-error cases - 2.03: removed runtime MMX-enabling/disabling and obsolete -mmx* options - - 2.04: - (GR-P) + - 2.04: check for integer overflow (Glenn R-P) --------------------------------------------------------------------------- - Copyright (c) 1998-2008 Greg Roelofs. All rights reserved. + Copyright (c) 1998-2008, 2017 Greg Roelofs. All rights reserved. This software is provided "as is," without warranty of any kind, express or implied. In no event shall the author or contributors @@ -650,6 +649,13 @@ static void rpng2_win_init() Trace((stderr, " width = %ld\n", rpng2_info.width)) Trace((stderr, " height = %ld\n", rpng2_info.height)) + /* Guard against integer overflow */ + if (rpng2_info.height > ((size_t)(-1))/rowbytes) { + fprintf(stderr, PROGNAME ": image_data buffer would be too large\n", + readpng2_cleanup(&rpng2_info); + return; + } + rpng2_info.image_data = (uch *)malloc(rowbytes * rpng2_info.height); if (!rpng2_info.image_data) { readpng2_cleanup(&rpng2_info); diff --git a/libpng/contrib/gregbook/rpng2-x.c b/libpng/contrib/gregbook/rpng2-x.c index 0c8ddeba2..af944c0f2 100644 --- a/libpng/contrib/gregbook/rpng2-x.c +++ b/libpng/contrib/gregbook/rpng2-x.c @@ -44,9 +44,11 @@ - 2.04: Added "void(foo);" statements to quiet pedantic compiler warnings about unused variables (GR-P) - 2.05: Use nanosleep() instead of usleep(), which is deprecated (GR-P). + - 2.06: check for integer overflow (Glenn R-P) --------------------------------------------------------------------------- - Copyright (c) 1998-2010, 2014-2015 Greg Roelofs. All rights reserved. + Copyright (c) 1998-2010, 2014-2015, 2017 Greg Roelofs. All rights + reserved. This software is provided "as is," without warranty of any kind, express or implied. In no event shall the author or contributors @@ -780,6 +782,13 @@ static void rpng2_x_init(void) Trace((stderr, " width = %ld\n", rpng2_info.width)) Trace((stderr, " height = %ld\n", rpng2_info.height)) + /* Guard against integer overflow */ + if (rpng2_info.height > ((size_t)(-1))/rpng2_info.rowbytes) { + fprintf(stderr, PROGNAME ": image_data buffer would be too large\n"); + readpng2_cleanup(&rpng2_info); + return; + } + rpng2_info.image_data = (uch *)malloc(rowbytes * rpng2_info.height); if (!rpng2_info.image_data) { readpng2_cleanup(&rpng2_info); diff --git a/libpng/contrib/gregbook/wpng.c b/libpng/contrib/gregbook/wpng.c index a06e3529e..a8f367fb8 100644 --- a/libpng/contrib/gregbook/wpng.c +++ b/libpng/contrib/gregbook/wpng.c @@ -29,6 +29,7 @@ - 1.04: fixed DOS/OS2/Win32 detection, including partial Cygwin fix (see http://home.att.net/~perlspinr/diffs/GregBook_cygwin.diff) - 2.00: dual-licensed (added GNU GPL) + - 2.01: check for integer overflow (Glenn R-P) [REPORTED BUG (win32 only): "contrib/gregbook/wpng.c - cmd line dose not work! In order to do something useful I needed to redirect @@ -38,7 +39,7 @@ --------------------------------------------------------------------------- - Copyright (c) 1998-2007 Greg Roelofs. All rights reserved. + Copyright (c) 1998-2007, 2017 Greg Roelofs. All rights reserved. This software is provided "as is," without warranty of any kind, express or implied. In no event shall the author or contributors @@ -702,7 +703,18 @@ int main(int argc, char **argv) if (wpng_info.interlaced) { long i; ulg bytes; - ulg image_bytes = rowbytes * wpng_info.height; /* overflow? */ + ulg image_bytes; + + /* Guard against integer overflow */ + if (wpng_info_height > ((size_t)(-1)/rowbytes || + wpng_info_height > ((ulg)(-1)/rowbytes) { + fprintf(stderr, PROGNAME ": image_data buffer too large\n"); + writepng_cleanup(&wpng_info); + wpng_cleanup(); + exit(5); + } + + image_bytes = rowbytes * wpng_info.height; wpng_info.image_data = (uch *)malloc(image_bytes); wpng_info.row_pointers = (uch **)malloc(wpng_info.height*sizeof(uch *)); diff --git a/libpng/contrib/gregbook/writepng.c b/libpng/contrib/gregbook/writepng.c index c5c953479..055c74374 100644 --- a/libpng/contrib/gregbook/writepng.c +++ b/libpng/contrib/gregbook/writepng.c @@ -4,7 +4,7 @@ --------------------------------------------------------------------------- - Copyright (c) 1998-2007 Greg Roelofs. All rights reserved. + Copyright (c) 1998-2007, 2017 Greg Roelofs. All rights reserved. This software is provided "as is," without warranty of any kind, express or implied. In no event shall the author or contributors |