[libpng17] Removed user limits from pngfix. Also pass NULL pointers to
png_read_row to skip the unnecessary row de-interlace stuff.
diff --git a/ANNOUNCE b/ANNOUNCE
index d51b781..890d821 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -673,10 +673,12 @@
Removed extraneous handling of PNG_SAFE_LIMITS_SUPPORTED from pngconf.h
Version 1.7.0beta45 [December 24, 2014]
- Eliminated the PNG_SAFE_LIMITS macro and set default limits in
- pnglibconf.dfa, that can be reset by the user at build time or run time.
- This provides a more robust defense against DOS and as-yet undiscovered
- overflows.
+ Eliminated the PNG_SAFE_LIMITS macro and restored the 1-million-column
+ and 1-million-row default limits in pnglibconf.dfa, that can be reset
+ by the user at build time or run time. This provides a more robust
+ defense against DOS and as-yet undiscovered overflows.
+ Removed user limits from pngfix. Also pass NULL pointers to
+ png_read_row to skip the unnecessary row de-interlace stuff.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
diff --git a/CHANGES b/CHANGES
index b95d7f5..e911b2d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4962,10 +4962,12 @@
Removed extraneous handling of PNG_SAFE_LIMITS_SUPPORTED from pngconf.h
Version 1.7.0beta45 [December 24, 2014]
- Eliminated the PNG_SAFE_LIMITS macro and set default limits in
- pnglibconf.dfa, that can be reset by the user at build time or run time.
- This provides a more robust defense against DOS and as-yet undiscovered
- overflows.
+ Eliminated the PNG_SAFE_LIMITS macro and restored the 1-million-column
+ and 1-million-row default limits in pnglibconf.dfa, that can be reset
+ by the user at build time or run time. This provides a more robust
+ defense against DOS and as-yet undiscovered overflows.
+ Removed user limits from pngfix. Also pass NULL pointers to
+ png_read_row to skip the unnecessary row de-interlace stuff.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
diff --git a/contrib/tools/pngfix.c b/contrib/tools/pngfix.c
index d9f05b8..385e0ba 100644
--- a/contrib/tools/pngfix.c
+++ b/contrib/tools/pngfix.c
@@ -3577,7 +3577,6 @@
{
png_structp png_ptr;
png_infop info_ptr = NULL;
- volatile png_bytep row = NULL, display = NULL;
volatile int rc;
png_ptr = png_create_read_struct(PNG_LIBPNG_VER_STRING, control,
@@ -3594,6 +3593,16 @@
rc = setjmp(control->file.jmpbuf);
if (rc == 0)
{
+# ifdef PNG_SET_USER_LIMITS_SUPPORTED
+ /* Remove any limits on the size of PNG files that can be read,
+ * without this we may reject files based on built-in safety
+ * limits.
+ */
+ png_set_user_limits(png_ptr, 0x7fffffff, 0x7fffffff);
+ png_set_chunk_cache_max(png_ptr, 0);
+ png_set_chunk_malloc_max(png_ptr, 0);
+# endif
+
png_set_read_fn(png_ptr, control, read_callback);
info_ptr = png_create_info_struct(png_ptr);
@@ -3606,32 +3615,22 @@
png_read_info(png_ptr, info_ptr);
{
- png_size_t rowbytes = png_get_rowbytes(png_ptr, info_ptr);
+ png_uint_32 height = png_get_image_height(png_ptr, info_ptr);
+ int passes = png_set_interlace_handling(png_ptr);
+ int pass;
- row = png_voidcast(png_byte*, malloc(rowbytes));
- display = png_voidcast(png_byte*, malloc(rowbytes));
+ png_start_read_image(png_ptr);
- if (row == NULL || display == NULL)
- png_error(png_ptr, "OOM allocating row buffers");
+ for (pass = 0; pass < passes; ++pass)
+ {
+ png_uint_32 y = height;
- {
- png_uint_32 height = png_get_image_height(png_ptr, info_ptr);
- int passes = png_set_interlace_handling(png_ptr);
- int pass;
-
- png_start_read_image(png_ptr);
-
- for (pass = 0; pass < passes; ++pass)
- {
- png_uint_32 y = height;
-
- /* NOTE: this trashes the row each time; interlace handling won't
- * work, but this avoids memory thrashing for speed testing.
- */
- while (y-- > 0)
- png_read_row(png_ptr, row, display);
- }
- }
+ /* NOTE: this skips asking libpng to return either version of
+ * the image row, but libpng still reads the rows.
+ */
+ while (y-- > 0)
+ png_read_row(png_ptr, NULL, NULL);
+ }
}
if (control->file.global->verbose)
@@ -3642,8 +3641,6 @@
}
png_destroy_read_struct(&png_ptr, &info_ptr, NULL);
- if (row != NULL) free(row);
- if (display != NULL) free(display);
return rc;
}
