From: Glenn Randers-P. <gl...@gm...> - 2014-12-21 20:29:39
|
libpng-1.5.21rc02 and 1.6.16rc02 are available from ftp://ftp.simplesystems.org/pub/png-group/src and from http://libpng.sf.net Version 1.5.21rc02 and 1.6.16rc02 [December 21, 2014] Undid the update to pngrutil.c in 1.6.16rc01. With the fix to png_check_IHDR() in png.c, the change in png_handle_IHDR() isn't necessary. Glenn |
From: John B. <joh...@gm...> - 2014-12-21 21:57:44
|
Testing 1.6 rc01 on 64-bit systems to ensure that the problem doesn't arise there reveals an unrelated overflow which causes a SEGV on certain interlaced files with very long rows. The problem happens around line 3257 of pngrutil.c, where the png_uint_32 value 'row_width', the width to process in pixels, is multiplied by pixels-per-byte. This can overflow, resulting in row_width becoming 0, which causes bytes_to_copy to become 0 which leads to an infinite do-while loop in the default switch case below, around line 3390. row_width should be png_alloc_size_t, then we know that the overflow cannot occur because row_width * 8 (the maximum pixel-bytes) fits in a size_t. I'm going to test that change, but it may require other changes because of the places where row_bytes is assigned to bytes_to_copy. John Bowler |
From: John B. <joh...@gm...> - 2014-12-21 22:14:21
|
The attached patch fixes the aforementioned problem. John Bowler |
From: Glenn Randers-P. <gl...@gm...> - 2014-12-21 23:20:25
|
Pushed John's 0543-* patch to libpng15 and libpng16 branches of the GIT repositories. Glenn |
From: John B. <joh...@gm...> - 2014-12-22 00:30:59
|
rc03 passes my tests with the following, pre-existing, failures: libpng 1.5: the various 'pngminim' builds fail on clang because of the spurious definition of png_digit in pngerror.c (fixed in 1.6). libpng 1.5: ARM: builds fail because of various warnings that are produced on 32-bit ARM and were fixed in 1.6. I dropped running the ARM tests on 1.5. I don't see any failures in 1.6, x86_64, armv7a or, so far, armv6j with gcc 4.8.3. I've run a pretty complete set of tests on armv7a because I have a fast v7a system (lots of memory, quad core), v6j I'm running with 256M of memory and a single core, but two builds have passed so far. The full set takes a day or two. I've only done the readpng test for the specific bug that is being fixed, but I'm much more confident than I was before that this is a good fix. I haven't investigated possible exploits of the bug, but I'm fairly sure they are significant and it wouldn't surprise me to learn that certain official parties were already well aware of them and exploiting them. John Bowler |
From: Glenn Randers-P. <gl...@gm...> - 2014-12-22 00:51:49
|
Thanks! On Sun, Dec 21, 2014 at 7:30 PM, John Bowler < joh...@gm...> wrote: > rc03 passes my tests with the following, pre-existing, failures: > > libpng 1.5: the various 'pngminim' builds fail on clang because of the > spurious definition of png_digit in pngerror.c (fixed in 1.6). > libpng 1.5: ARM: builds fail because of various warnings that are produced > on 32-bit ARM and were fixed in 1.6. I dropped running the ARM tests on > 1.5. > Those can wait for 1.5.22beta > > I don't see any failures in 1.6, x86_64, armv7a or, so far, armv6j with > gcc 4.8.3. I've run a pretty complete set of tests on armv7a because I > have a fast v7a system (lots of memory, quad core), v6j I'm running with > 256M of memory and a single core, but two builds have passed so far. The > full set takes a day or two. > So far, so good. > I've only done the readpng test for the specific bug that is being fixed, > but I'm much more confident than I was before that this is a good fix. > > I haven't investigated possible exploits of the bug, but I'm fairly sure > they are significant and it wouldn't surprise me to learn that certain > official parties were already well aware of them and exploiting them. > > > |
From: John B. <joh...@gm...> - 2014-12-22 05:25:46
|
> > On Sun, Dec 21, 2014 at 7:30 PM, John Bowler < > joh...@gm...> wrote: > >> rc03 passes my tests with the following, pre-existing, failures: >> >> libpng 1.5: the various 'pngminim' builds fail on clang because of the >> spurious definition of png_digit in pngerror.c (fixed in 1.6). >> libpng 1.5: ARM: builds fail because of various warnings that are >> produced on 32-bit ARM and were fixed in 1.6. I dropped running the ARM >> tests on 1.5. >> > > > On 1.5 I removed the -Werror from all the builds and I now get a complete pass; x86_64, armv7a, armv6j, aarch64, with the ARM builds all cross builds in this case so I can't run make check. (On 1.6 I have run make check on armv7a and armv6j, I don't have an aarch64 machine.) So 1.5 has some warnings which can, so far as I can tell, be ignored. The ones I checked are certainly safe. John Bowler |