From 61e137bced7f7807ee8e535e47cfbec2cff3b68f Mon Sep 17 00:00:00 2001 From: ryanforsten <39569797+ryanforsten@users.noreply.github.com> Date: Fri, 16 Apr 2021 02:17:17 -0400 Subject: [PATCH 1/2] Update pngpread.c --- third-party/libpng/pngpread.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/third-party/libpng/pngpread.c b/third-party/libpng/pngpread.c index fbe361d..fcef5c4 100644 --- a/third-party/libpng/pngpread.c +++ b/third-party/libpng/pngpread.c @@ -223,6 +223,21 @@ png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr) if ((png_ptr->mode & PNG_AFTER_IDAT) != 0) png_benign_error(png_ptr, "Too many IDATs found"); } + + else + { + png_alloc_size_t limit = PNG_SIZE_MAX; +# ifdef PNG_SET_USER_LIMITS_SUPPORTED + if (png_ptr->user_chunk_malloc_max > 0 && + png_ptr->user_chunk_malloc_max < limit) + limit = png_ptr->user_chunk_malloc_max; +# elif PNG_USER_CHUNK_MALLOC_MAX > 0 + if (PNG_USER_CHUNK_MALLOC_MAX < limit) + limit = PNG_USER_CHUNK_MALLOC_MAX; +# endif + if (png_ptr->push_length > limit) + png_chunk_error(png_ptr, "chunk data is too large"); + } if (chunk_name == png_IHDR) { From 277984f20e77ab03f05ad215fe020c12edfa54c1 Mon Sep 17 00:00:00 2001 From: ryanforsten <39569797+ryanforsten@users.noreply.github.com> Date: Fri, 16 Apr 2021 02:18:02 -0400 Subject: [PATCH 2/2] Update pngrutil.c --- third-party/libpng/pngrutil.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/third-party/libpng/pngrutil.c b/third-party/libpng/pngrutil.c index a4fa714..a3a8f74 100644 --- a/third-party/libpng/pngrutil.c +++ b/third-party/libpng/pngrutil.c @@ -181,8 +181,21 @@ png_read_chunk_header(png_structrp png_ptr) /* Check to see if chunk name is valid. */ png_check_chunk_name(png_ptr, png_ptr->chunk_name); - /* Check for too-large chunk length */ - png_check_chunk_length(png_ptr, length); + /* Check for too-large chunk length */ + if (png_ptr->chunk_name != png_IDAT) + { + png_alloc_size_t limit = PNG_SIZE_MAX; +# ifdef PNG_SET_USER_LIMITS_SUPPORTED + if (png_ptr->user_chunk_malloc_max > 0 && + png_ptr->user_chunk_malloc_max < limit) + limit = png_ptr->user_chunk_malloc_max; +# elif PNG_USER_CHUNK_MALLOC_MAX > 0 + if (PNG_USER_CHUNK_MALLOC_MAX < limit) + limit = PNG_USER_CHUNK_MALLOC_MAX; +# endif + if (length > limit) + png_chunk_error(png_ptr, "chunk data is too large"); + } #ifdef PNG_IO_STATE_SUPPORTED png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_DATA;