From 225b61ab2a37c4c355dfc592f0f7404ad85374fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20Verschelde?= Date: Fri, 26 Apr 2019 10:37:13 +0200 Subject: libpng: Update to upstream 1.6.37 Fixes CVE-2019-7317. --- thirdparty/libpng/pngread.c | 88 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 87 insertions(+), 1 deletion(-) (limited to 'thirdparty/libpng/pngread.c') diff --git a/thirdparty/libpng/pngread.c b/thirdparty/libpng/pngread.c index f8e762196e..fa44d5a8e4 100644 --- a/thirdparty/libpng/pngread.c +++ b/thirdparty/libpng/pngread.c @@ -1,7 +1,7 @@ /* pngread.c - read a PNG file * - * Copyright (c) 2018 Cosmin Truta + * Copyright (c) 2018-2019 Cosmin Truta * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson * Copyright (c) 1996-1997 Andreas Dilger * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. @@ -161,6 +161,9 @@ png_read_info(png_structrp png_ptr, png_inforp info_ptr) else if (chunk_name == png_IDAT) { +#ifdef PNG_READ_APNG_SUPPORTED + png_have_info(png_ptr, info_ptr); +#endif png_ptr->idat_size = length; break; } @@ -255,6 +258,17 @@ png_read_info(png_structrp png_ptr, png_inforp info_ptr) png_handle_iTXt(png_ptr, info_ptr, length); #endif +#ifdef PNG_READ_APNG_SUPPORTED + else if (chunk_name == png_acTL) + png_handle_acTL(png_ptr, info_ptr, length); + + else if (chunk_name == png_fcTL) + png_handle_fcTL(png_ptr, info_ptr, length); + + else if (chunk_name == png_fdAT) + png_handle_fdAT(png_ptr, info_ptr, length); +#endif + else png_handle_unknown(png_ptr, info_ptr, length, PNG_HANDLE_CHUNK_AS_DEFAULT); @@ -262,6 +276,72 @@ png_read_info(png_structrp png_ptr, png_inforp info_ptr) } #endif /* SEQUENTIAL_READ */ +#ifdef PNG_READ_APNG_SUPPORTED +void PNGAPI +png_read_frame_head(png_structp png_ptr, png_infop info_ptr) +{ + png_byte have_chunk_after_DAT; /* after IDAT or after fdAT */ + + png_debug(0, "Reading frame head"); + + if (!(png_ptr->mode & PNG_HAVE_acTL)) + png_error(png_ptr, "attempt to png_read_frame_head() but " + "no acTL present"); + + /* do nothing for the main IDAT */ + if (png_ptr->num_frames_read == 0) + return; + + png_read_reset(png_ptr); + png_ptr->flags &= ~PNG_FLAG_ROW_INIT; + png_ptr->mode &= ~PNG_HAVE_fcTL; + + have_chunk_after_DAT = 0; + for (;;) + { + png_uint_32 length = png_read_chunk_header(png_ptr); + + if (png_ptr->chunk_name == png_IDAT) + { + /* discard trailing IDATs for the first frame */ + if (have_chunk_after_DAT || png_ptr->num_frames_read > 1) + png_error(png_ptr, "png_read_frame_head(): out of place IDAT"); + png_crc_finish(png_ptr, length); + } + + else if (png_ptr->chunk_name == png_fcTL) + { + png_handle_fcTL(png_ptr, info_ptr, length); + have_chunk_after_DAT = 1; + } + + else if (png_ptr->chunk_name == png_fdAT) + { + png_ensure_sequence_number(png_ptr, length); + + /* discard trailing fdATs for frames other than the first */ + if (!have_chunk_after_DAT && png_ptr->num_frames_read > 1) + png_crc_finish(png_ptr, length - 4); + else if(png_ptr->mode & PNG_HAVE_fcTL) + { + png_ptr->idat_size = length - 4; + png_ptr->mode |= PNG_HAVE_IDAT; + + break; + } + else + png_error(png_ptr, "png_read_frame_head(): out of place fdAT"); + } + else + { + png_warning(png_ptr, "Skipped (ignored) a chunk " + "between APNG chunks"); + png_crc_finish(png_ptr, length); + } + } +} +#endif /* PNG_READ_APNG_SUPPORTED */ + /* Optional call to update the users info_ptr structure */ void PNGAPI png_read_update_info(png_structrp png_ptr, png_inforp info_ptr) @@ -994,6 +1074,12 @@ png_read_destroy(png_structrp png_ptr) png_ptr->chunk_list = NULL; #endif +#if defined(PNG_READ_EXPAND_SUPPORTED) && \ + defined(PNG_ARM_NEON_IMPLEMENTATION) + png_free(png_ptr, png_ptr->riffled_palette); + png_ptr->riffled_palette = NULL; +#endif + /* NOTE: the 'setjmp' buffer may still be allocated and the memory and error * callbacks are still set at this point. They are required to complete the * destruction of the png_struct itself. -- cgit v1.2.3