diff options
Diffstat (limited to 'drivers/png/pngrutil.c')
| -rw-r--r-- | drivers/png/pngrutil.c | 245 |
1 files changed, 118 insertions, 127 deletions
diff --git a/drivers/png/pngrutil.c b/drivers/png/pngrutil.c index c53117ab29..632c5c8e02 100644 --- a/drivers/png/pngrutil.c +++ b/drivers/png/pngrutil.c @@ -1,8 +1,8 @@ /* pngrutil.c - utilities to read a PNG file * - * Last changed in libpng 1.5.7 [December 15, 2011] - * Copyright (c) 1998-2011 Glenn Randers-Pehrson + * Last changed in libpng 1.5.25 [December 17, 2015] + * Copyright (c) 1998-2002,2004,2006-2015 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -18,8 +18,6 @@ #ifdef PNG_READ_SUPPORTED -#define png_strtod(p,a,b) strtod(a,b) - png_uint_32 PNGAPI png_get_uint_31(png_structp png_ptr, png_const_bytep buf) { @@ -91,7 +89,13 @@ png_get_int_32)(png_const_bytep buf) return uval; uval = (uval ^ 0xffffffff) + 1; /* 2's complement: -x = ~x+1 */ - return -(png_int_32)uval; + if ((uval & 0x80000000) == 0) /* no overflow */ + return -(png_int_32)uval; + /* The following has to be safe; this function only gets called on PNG data + * and if we get here that data is invalid. 0 is the most safe value and + * if not then an attacker would surely just generate a PNG with 0 instead. + */ + return 0; } /* Grab an unsigned 16-bit integer from a buffer in big-endian format. */ @@ -211,7 +215,7 @@ png_crc_finish(png_structp png_ptr, png_uint_32 skip) png_crc_read(png_ptr, png_ptr->zbuf, png_ptr->zbuf_size); } - if (i) + if (i != 0) { png_crc_read(png_ptr, png_ptr->zbuf, i); } @@ -267,7 +271,7 @@ png_crc_error(png_structp png_ptr) /* The chunk CRC must be serialized in a single I/O call. */ png_read_data(png_ptr, crc_bytes, 4); - if (need_crc) + if (need_crc != 0) { crc = png_get_uint_32(crc_bytes); return ((int)(crc != png_ptr->crc)); @@ -284,6 +288,17 @@ png_inflate(png_structp png_ptr, png_bytep data, png_size_t size, { png_size_t count = 0; + /* HACK: added in libpng 1.5.18: the progressive reader always leaves + * png_ptr->zstream in a non-reset state. This causes a reset if it needs to + * be used again. This only copes with that one specific error; see libpng + * 1.6 for a better solution. + */ + if ((png_ptr->flags & PNG_FLAG_ZSTREAM_PROGRESSIVE) != 0) + { + (void)inflateReset(&png_ptr->zstream); + png_ptr->flags &= ~PNG_FLAG_ZSTREAM_PROGRESSIVE; + } + /* zlib can't necessarily handle more than 65535 bytes at once (i.e. it can't * even necessarily handle 65536 bytes) because the type uInt is "16 bits or * more". Consequently it is necessary to chunk the input to zlib. This @@ -432,15 +447,16 @@ png_decompress_chunk(png_structp png_ptr, int comp_type, /* Now check the limits on this chunk - if the limit fails the * compressed data will be removed, the prefix will remain. */ -#ifdef PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED - if (png_ptr->user_chunk_malloc_max && + if (prefix_size >= (~(png_size_t)0) - 1 || + expanded_size >= (~(png_size_t)0) - 1 - prefix_size +#ifdef PNG_USER_LIMITS_SUPPORTED + || (png_ptr->user_chunk_malloc_max && (prefix_size + expanded_size >= png_ptr->user_chunk_malloc_max - 1)) #else -# ifdef PNG_USER_CHUNK_MALLOC_MAX - if ((PNG_USER_CHUNK_MALLOC_MAX > 0) && + || ((PNG_USER_CHUNK_MALLOC_MAX > 0) && prefix_size + expanded_size >= PNG_USER_CHUNK_MALLOC_MAX - 1) -# endif #endif + ) png_warning(png_ptr, "Exceeded size limit while expanding chunk"); /* If the size is zero either there was an error and a message @@ -448,12 +464,7 @@ png_decompress_chunk(png_structp png_ptr, int comp_type, * and we have nothing to do - the code will exit through the * error case below. */ -#if defined(PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED) || \ - defined(PNG_USER_CHUNK_MALLOC_MAX) else if (expanded_size > 0) -#else - if (expanded_size > 0) -#endif { /* Success (maybe) - really uncompress the chunk. */ png_size_t new_size = 0; @@ -600,7 +611,7 @@ void /* PRIVATE */ png_handle_PLTE(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { png_color palette[PNG_MAX_PALETTE_LENGTH]; - int num, i; + int max_palette_length, num, i; #ifdef PNG_POINTER_INDEXING_SUPPORTED png_colorp pal_ptr; #endif @@ -653,8 +664,22 @@ png_handle_PLTE(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) } } + /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */ num = (int)length / 3; + /* If the palette has 256 or fewer entries but is too large for the bit + * depth, we don't issue an error, to preserve the behavior of previous + * libpng versions. We silently truncate the unused extra palette entries + * here. + */ + if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) + max_palette_length = (1 << png_ptr->bit_depth); + else + max_palette_length = PNG_MAX_PALETTE_LENGTH; + + if (num > max_palette_length) + num = max_palette_length; + #ifdef PNG_POINTER_INDEXING_SUPPORTED for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++) { @@ -687,7 +712,7 @@ png_handle_PLTE(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) #endif { - png_crc_finish(png_ptr, 0); + png_crc_finish(png_ptr, (int) length - num * 3); } #ifndef PNG_READ_OPT_PLTE_SUPPORTED @@ -1261,13 +1286,16 @@ png_handle_iCCP(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place iCCP chunk"); - if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) + if ((png_ptr->mode & PNG_HAVE_iCCP) || (info_ptr != NULL && + (info_ptr->valid & (PNG_INFO_iCCP|PNG_INFO_sRGB)))) { png_warning(png_ptr, "Duplicate iCCP chunk"); png_crc_finish(png_ptr, length); return; } + png_ptr->mode |= PNG_HAVE_iCCP; + #ifdef PNG_MAX_MALLOC_64K if (length > (png_uint_32)65535L) { @@ -1279,7 +1307,7 @@ png_handle_iCCP(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) png_free(png_ptr, png_ptr->chunkdata); png_ptr->chunkdata = (png_charp)png_malloc(png_ptr, length + 1); - slength = (png_size_t)length; + slength = length; png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength); if (png_crc_finish(png_ptr, skip)) @@ -1299,7 +1327,7 @@ png_handle_iCCP(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) /* There should be at least one zero (the compression type byte) * following the separator, and we should be on it */ - if (profile >= png_ptr->chunkdata + slength - 1) + if (slength < 1U || profile >= png_ptr->chunkdata + slength - 1U) { png_free(png_ptr, png_ptr->chunkdata); png_ptr->chunkdata = NULL; @@ -1310,7 +1338,7 @@ png_handle_iCCP(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) /* Compression_type should always be zero */ compression_type = *profile++; - if (compression_type) + if (compression_type != 0) { png_warning(png_ptr, "Ignoring nonzero compression type in iCCP chunk"); compression_type = 0x00; /* Reset it to zero (libpng-1.0.6 through 1.0.8 @@ -1429,7 +1457,7 @@ png_handle_sPLT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) * that the PNG_MAX_MALLOC_64K test is enabled in this case, but this is a * potential breakage point if the types in pngconf.h aren't exactly right. */ - slength = (png_size_t)length; + slength = length; png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength); if (png_crc_finish(png_ptr, skip)) @@ -1448,7 +1476,8 @@ png_handle_sPLT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) ++entry_start; /* A sample depth should follow the separator, and we should be on it */ - if (entry_start > (png_bytep)png_ptr->chunkdata + slength - 2) + if (slength < 2U || + entry_start > (png_bytep)png_ptr->chunkdata + slength - 2U) { png_free(png_ptr, png_ptr->chunkdata); png_ptr->chunkdata = NULL; @@ -1797,16 +1826,16 @@ png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) return; } - num = length / 2 ; - - if (num != (unsigned int)png_ptr->num_palette || num > - (unsigned int)PNG_MAX_PALETTE_LENGTH) + if (length > 2*PNG_MAX_PALETTE_LENGTH || + length != (unsigned int) (2*png_ptr->num_palette)) { png_warning(png_ptr, "Incorrect hIST chunk length"); png_crc_finish(png_ptr, length); return; } + num = length / 2 ; + for (i = 0; i < num; i++) { png_byte buf[2]; @@ -1956,7 +1985,7 @@ png_handle_pCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) return; } - slength = (png_size_t)length; + slength = length; png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength); if (png_crc_finish(png_ptr, 0)) @@ -1977,7 +2006,7 @@ png_handle_pCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) /* We need to have at least 12 bytes after the purpose string * in order to get the parameter information. */ - if (endptr <= buf + 12) + if (endptr - buf <= 12) { png_warning(png_ptr, "Invalid pCAL data"); png_free(png_ptr, png_ptr->chunkdata); @@ -2105,7 +2134,7 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) return; } - slength = (png_size_t)length; + slength = length; png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength); png_ptr->chunkdata[slength] = 0x00; /* Null terminate the last string */ @@ -2265,7 +2294,7 @@ png_handle_tEXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) return; } - slength = (png_size_t)length; + slength = length; png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength); if (png_crc_finish(png_ptr, skip)) @@ -2310,7 +2339,7 @@ png_handle_tEXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) png_ptr->chunkdata = NULL; png_free(png_ptr, text_ptr); - if (ret) + if (ret != 0) png_warning(png_ptr, "Insufficient memory to process text chunk"); } #endif @@ -2373,7 +2402,7 @@ png_handle_zTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) return; } - slength = (png_size_t)length; + slength = length; png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength); if (png_crc_finish(png_ptr, 0)) @@ -2389,7 +2418,7 @@ png_handle_zTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) /* Empty loop */ ; /* zTXt must have some text after the chunkdataword */ - if (text >= png_ptr->chunkdata + slength - 2) + if (slength < 2U || text >= png_ptr->chunkdata + slength - 2U) { png_warning(png_ptr, "Truncated zTXt chunk"); png_free(png_ptr, png_ptr->chunkdata); @@ -2440,7 +2469,7 @@ png_handle_zTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) png_free(png_ptr, png_ptr->chunkdata); png_ptr->chunkdata = NULL; - if (ret) + if (ret != 0) png_error(png_ptr, "Insufficient memory to store zTXt chunk"); } #endif @@ -2453,7 +2482,7 @@ png_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) png_textp text_ptr; png_charp key, lang, text, lang_key; int comp_flag; - int comp_type = 0; + int comp_type; int ret; png_size_t slength, prefix_len, data_len; @@ -2504,7 +2533,7 @@ png_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) return; } - slength = (png_size_t)length; + slength = length; png_crc_read(png_ptr, (png_bytep)png_ptr->chunkdata, slength); if (png_crc_finish(png_ptr, 0)) @@ -2526,7 +2555,7 @@ png_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) * keyword */ - if (lang >= png_ptr->chunkdata + slength - 3) + if (slength < 3U || lang >= png_ptr->chunkdata + slength - 3U) { png_warning(png_ptr, "Truncated iTXt chunk"); png_free(png_ptr, png_ptr->chunkdata); @@ -2534,18 +2563,30 @@ png_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) return; } - else - { - comp_flag = *lang++; - comp_type = *lang++; - } + comp_flag = *lang++; + comp_type = *lang++; - if (comp_type || (comp_flag && comp_flag != PNG_TEXT_COMPRESSION_zTXt)) + /* 1.5.14: The spec says "for uncompressed text decoders shall ignore [the + * compression type]". The compression flag shall be 0 (no compression) or + * 1 (compressed with method 0 - deflate.) + */ + if (comp_flag/*compressed*/ != 0) { - png_warning(png_ptr, "Unknown iTXt compression type or method"); - png_free(png_ptr, png_ptr->chunkdata); - png_ptr->chunkdata = NULL; - return; + if (comp_flag != 1) + { + png_warning(png_ptr, "invalid iTXt compression flag"); + png_free(png_ptr, png_ptr->chunkdata); + png_ptr->chunkdata = NULL; + return; + } + + if (comp_type != 0) + { + png_warning(png_ptr, "unknown iTXt compression type"); + png_free(png_ptr, png_ptr->chunkdata); + png_ptr->chunkdata = NULL; + return; + } } for (lang_key = lang; *lang_key; lang_key++) @@ -2578,7 +2619,7 @@ png_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) key=png_ptr->chunkdata; - if (comp_flag) + if (comp_flag/*compressed*/) png_decompress_chunk(png_ptr, comp_type, (size_t)length, prefix_len, &data_len); @@ -2596,7 +2637,8 @@ png_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) return; } - text_ptr->compression = (int)comp_flag + 1; + text_ptr->compression = + (comp_flag ? PNG_ITXT_COMPRESSION_zTXt : PNG_ITXT_COMPRESSION_NONE); text_ptr->lang_key = png_ptr->chunkdata + (lang_key - key); text_ptr->lang = png_ptr->chunkdata + (lang - key); text_ptr->itxt_length = data_len; @@ -2610,7 +2652,7 @@ png_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) png_free(png_ptr, png_ptr->chunkdata); png_ptr->chunkdata = NULL; - if (ret) + if (ret != 0) png_error(png_ptr, "Insufficient memory to store iTXt chunk"); } #endif @@ -2787,7 +2829,7 @@ png_combine_row(png_structp png_ptr, png_bytep dp, int display) { unsigned int pixel_depth = png_ptr->transformed_pixel_depth; png_const_bytep sp = png_ptr->row_buf + 1; - png_uint_32 row_width = png_ptr->width; + png_alloc_size_t row_width = png_ptr->width; unsigned int pass = png_ptr->pass; png_bytep end_ptr = 0; png_byte end_byte = 0; @@ -2939,7 +2981,7 @@ png_combine_row(png_structp png_ptr, png_bytep dp, int display) # define S_MASKS(d,s) { S_MASK(0,d,s), S_MASK(1,d,s), S_MASK(2,d,s),\ S_MASK(3,d,s), S_MASK(4,d,s), S_MASK(5,d,s) } -# define B_MASKS(d,s) { B_MASK(1,d,s), S_MASK(3,d,s), S_MASK(5,d,s) } +# define B_MASKS(d,s) { B_MASK(1,d,s), B_MASK(3,d,s), B_MASK(5,d,s) } # define DEPTH_INDEX(d) ((d)==1?0:((d)==2?1:2)) @@ -3050,7 +3092,7 @@ png_combine_row(png_structp png_ptr, png_bytep dp, int display) } /* Work out the bytes to copy. */ - if (display) + if (display != 0) { /* When doing the 'block' algorithm the pixel in the pass gets * replicated to adjacent pixels. This is why the even (0,2,4,6) @@ -3060,7 +3102,7 @@ png_combine_row(png_structp png_ptr, png_bytep dp, int display) /* But don't allow this number to exceed the actual row width. */ if (bytes_to_copy > row_width) - bytes_to_copy = row_width; + bytes_to_copy = (unsigned int)/*SAFE*/row_width; } else /* normal row; Adam7 only ever gives us one pixel to copy. */ @@ -3152,7 +3194,7 @@ png_combine_row(png_structp png_ptr, png_bytep dp, int display) { png_uint_32p dp32 = (png_uint_32p)dp; png_const_uint_32p sp32 = (png_const_uint_32p)sp; - unsigned int skip = (bytes_to_jump-bytes_to_copy) / + size_t skip = (bytes_to_jump-bytes_to_copy) / sizeof (png_uint_32); do @@ -3193,7 +3235,7 @@ png_combine_row(png_structp png_ptr, png_bytep dp, int display) { png_uint_16p dp16 = (png_uint_16p)dp; png_const_uint_16p sp16 = (png_const_uint_16p)sp; - unsigned int skip = (bytes_to_jump-bytes_to_copy) / + size_t skip = (bytes_to_jump-bytes_to_copy) / sizeof (png_uint_16); do @@ -3238,7 +3280,7 @@ png_combine_row(png_structp png_ptr, png_bytep dp, int display) dp += bytes_to_jump; row_width -= bytes_to_jump; if (bytes_to_copy > row_width) - bytes_to_copy = row_width; + bytes_to_copy = (unsigned int)/*SAFE*/row_width; } } @@ -3477,7 +3519,7 @@ png_do_read_interlace(png_row_infop row_info, png_bytep row, int pass, for (i = 0; i < row_info->width; i++) { - png_byte v[8]; + png_byte v[8]; /* SAFE; pixel_depth does not exceed 64 */ int j; png_memcpy(v, sp, pixel_bytes); @@ -3661,68 +3703,6 @@ png_read_filter_row_paeth_multibyte_pixel(png_row_infop row_info, png_bytep row, } } -#ifdef PNG_ARM_NEON - -#if 0 -#ifdef __linux__ -#include <stdio.h> -#include <elf.h> -#include <asm/hwcap.h> - -static int png_have_hwcap(unsigned cap) -{ - FILE *f = fopen("/proc/self/auxv", "r"); - Elf32_auxv_t aux; - int have_cap = 0; - - if (!f) - return 0; - - while (fread(&aux, sizeof(aux), 1, f) > 0) - { - if (aux.a_type == AT_HWCAP && - aux.a_un.a_val & cap) - { - have_cap = 1; - break; - } - } - - fclose(f); - - return have_cap; -} -#endif /* __linux__ */ -#endif -static void -png_init_filter_functions_neon(png_structp pp, unsigned int bpp) -{ -#if 0 -#ifdef __linux__ - if (!png_have_hwcap(HWCAP_NEON)) - return; -#endif -#endif - pp->read_filter[PNG_FILTER_VALUE_UP-1] = png_read_filter_row_up_neon; - - if (bpp == 3) - { - pp->read_filter[PNG_FILTER_VALUE_SUB-1] = png_read_filter_row_sub3_neon; - pp->read_filter[PNG_FILTER_VALUE_AVG-1] = png_read_filter_row_avg3_neon; - pp->read_filter[PNG_FILTER_VALUE_PAETH-1] = - png_read_filter_row_paeth3_neon; - } - - else if (bpp == 4) - { - pp->read_filter[PNG_FILTER_VALUE_SUB-1] = png_read_filter_row_sub4_neon; - pp->read_filter[PNG_FILTER_VALUE_AVG-1] = png_read_filter_row_avg4_neon; - pp->read_filter[PNG_FILTER_VALUE_PAETH-1] = - png_read_filter_row_paeth4_neon; - } -} -#endif /* PNG_ARM_NEON */ - static void png_init_filter_functions(png_structp pp) { @@ -3738,8 +3718,16 @@ png_init_filter_functions(png_structp pp) pp->read_filter[PNG_FILTER_VALUE_PAETH-1] = png_read_filter_row_paeth_multibyte_pixel; -#ifdef PNG_ARM_NEON - png_init_filter_functions_neon(pp, bpp); +#ifdef PNG_FILTER_OPTIMIZATIONS + /* To use this define PNG_FILTER_OPTIMIZATIONS as the name of a function to + * call to install hardware optimizations for the above functions; simply + * replace whatever elements of the pp->read_filter[] array with a hardware + * specific (or, for that matter, generic) optimization. + * + * To see an example of this examine what configure.ac does when + * --enable-arm-neon is specified on the command line. + */ + PNG_FILTER_OPTIMIZATIONS(pp, bpp); #endif } @@ -3747,10 +3735,13 @@ void /* PRIVATE */ png_read_filter_row(png_structp pp, png_row_infop row_info, png_bytep row, png_const_bytep prev_row, int filter) { - if (pp->read_filter[0] == NULL) - png_init_filter_functions(pp); if (filter > PNG_FILTER_VALUE_NONE && filter < PNG_FILTER_VALUE_LAST) + { + if (pp->read_filter[0] == NULL) + png_init_filter_functions(pp); + pp->read_filter[filter-1](row_info, row, prev_row); + } } #ifdef PNG_SEQUENTIAL_READ_SUPPORTED |