[GM-commit] GraphicsMagick: coders/png.c (WriteOnePNGImage): Ignore exessive...
Swiss army knife of image processing
Brought to you by:
bfriesen
Menu
▾
▴
[GM-commit] GraphicsMagick: coders/png.c (WriteOnePNGImage): Ignore exessive...
|
From: GraphicsMagick C. <gra...@li...> - 2025-01-29 21:20:40
|
changeset 339ea5233db0 in /hg/GraphicsMagick details: http://hg.GraphicsMagick.org/hg/GraphicsMagick?cmd=changeset;node=339ea5233db0 summary: coders/png.c (WriteOnePNGImage): Ignore exessively short ICM profiles. diffstat: ChangeLog | 5 ++++ coders/png.c | 65 +++++++++++++++++++++++++++++++++-------------------- www/ChangeLog.html | 4 +++ 3 files changed, 49 insertions(+), 25 deletions(-) diffs (107 lines): diff -r 482aaf1cc48c -r 339ea5233db0 ChangeLog --- a/ChangeLog Wed Jan 29 10:26:55 2025 -0600 +++ b/ChangeLog Wed Jan 29 15:19:59 2025 -0600 @@ -1,5 +1,10 @@ 2025-01-29 Bob Friesenhahn <bfr...@si...> + * coders/png.c (WriteOnePNGImage): Ignore exessively short ICM + profiles. Should address oss-fuzz 392927700 + "graphicsmagick:coder_PNG64_fuzzer: Heap-buffer-overflow in + png_write_iCCP". + * magick/magic.c (StaticMagic): Identify some more HEIF sub-formats. diff -r 482aaf1cc48c -r 339ea5233db0 coders/png.c --- a/coders/png.c Wed Jan 29 10:26:55 2025 -0600 +++ b/coders/png.c Wed Jan 29 15:19:59 2025 -0600 @@ -8297,35 +8297,50 @@ LocaleLower(profile_name); if (LocaleCompare(profile_name,"ICM") == 0) { + if (profile_length < 132) + { + if (logging) + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " Ignoring %s profile (%u byte%s)" + " because it is too short!", + profile_name, + (unsigned int) profile_length, + profile_length > 1 ? "s" : ""); + } + else + { #if defined(PNG_WRITE_iCCP_SUPPORTED) - { - if (logging) - (void) LogMagickEvent(CoderEvent,GetMagickModule(), - " Setting up iCCP chunk"); - - png_set_iCCP(ping,ping_info,(png_charp) "icm", - (int) 0, + { + if (logging) + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " Setting up iCCP chunk (%u byte%s)", + (unsigned int) profile_length, + profile_length > 1 ? "s" : ""); + + png_set_iCCP(ping,ping_info,(png_charp) "icm", + (int) 0, #if (PNG_LIBPNG_VER < 10500) - (png_charp) profile_info, + (png_charp) profile_info, #else - (png_const_bytep) profile_info, -#endif - - (png_uint_32) profile_length); - } + (png_const_bytep) profile_info, +#endif + + (png_uint_32) profile_length); + } #else - { - if (logging) - (void) LogMagickEvent(CoderEvent,GetMagickModule(), - " Setting up text chunk with" - " iCCP Profile"); - png_write_raw_profile(image_info,ping,ping_info, - "icm", - "ICC Profile", - profile_info, - (png_uint_32) profile_length); - } -#endif + { + if (logging) + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " Setting up text chunk with" + " iCCP Profile"); + png_write_raw_profile(image_info,ping,ping_info, + "icm", + "ICC Profile", + profile_info, + (png_uint_32) profile_length); + } +#endif + } } else if (LocaleCompare(profile_name,"IPTC") == 0) { diff -r 482aaf1cc48c -r 339ea5233db0 www/ChangeLog.html --- a/www/ChangeLog.html Wed Jan 29 10:26:55 2025 -0600 +++ b/www/ChangeLog.html Wed Jan 29 15:19:59 2025 -0600 @@ -41,6 +41,10 @@ <p>2025-01-29 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> <blockquote> <ul class="simple"> +<li><p>coders/png.c (WriteOnePNGImage): Ignore exessively short ICM +profiles. Should address oss-fuzz 392927700 +"graphicsmagick:coder_PNG64_fuzzer: Heap-buffer-overflow in +png_write_iCCP".</p></li> <li><p>magick/magic.c (StaticMagic): Identify some more HEIF sub-formats.</p></li> <li><p>coders/heif.c (ReadHEIFImage): Request the primary image handle |
