diff options
author | mhm@chromium.org <mhm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-06-26 18:03:28 +0000 |
---|---|---|
committer | mhm@chromium.org <mhm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-06-26 18:03:28 +0000 |
commit | 6f7a602151b8a9c4437f9756766782d8b0f8196f (patch) | |
tree | 511c03bb9c1cdae04872c14069ae5c7cd72e7da7 /third_party/libpng | |
parent | 01143a0d7e28b08783048b5fb6b940731d56cf75 (diff) | |
download | chromium_src-6f7a602151b8a9c4437f9756766782d8b0f8196f.zip chromium_src-6f7a602151b8a9c4437f9756766782d8b0f8196f.tar.gz chromium_src-6f7a602151b8a9c4437f9756766782d8b0f8196f.tar.bz2 |
Update libpng to version 1.2.44
According to libpng website, this will solve the vulnerability ID CVE-2010-1205.
BUG=47633
TEST=None
Review URL: http://codereview.chromium.org/2835021
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@50937 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'third_party/libpng')
-rw-r--r-- | third_party/libpng/LICENSE | 2 | ||||
-rw-r--r-- | third_party/libpng/README | 2 | ||||
-rw-r--r-- | third_party/libpng/README.chromium | 2 | ||||
-rw-r--r-- | third_party/libpng/png.h | 3 | ||||
-rw-r--r-- | third_party/libpng/pngpread.c | 123 | ||||
-rw-r--r-- | third_party/libpng/pngread.c | 4 | ||||
-rw-r--r-- | third_party/libpng/pngrutil.c | 43 |
7 files changed, 121 insertions, 58 deletions
diff --git a/third_party/libpng/LICENSE b/third_party/libpng/LICENSE index 8521813..662cba9 100644 --- a/third_party/libpng/LICENSE +++ b/third_party/libpng/LICENSE @@ -10,7 +10,7 @@ this sentence. This code is released under the libpng license. -libpng versions 1.2.6, August 15, 2004, through 1.2.43, February 25, 2010, are +libpng versions 1.2.6, August 15, 2004, through 1.2.44, June 26, 2010, are Copyright (c) 2004, 2006-2009 Glenn Randers-Pehrson, and are distributed according to the same disclaimer and license as libpng-1.2.5 with the following individual added to the list of Contributing Authors diff --git a/third_party/libpng/README b/third_party/libpng/README index 31949f3..01f5d4c 100644 --- a/third_party/libpng/README +++ b/third_party/libpng/README @@ -1,4 +1,4 @@ -README for libpng version 1.2.43 - February 25, 2010 (shared library 12.0) +README for libpng version 1.2.44 - June 26, 2010 (shared library 12.0) See the note about version numbers near the top of png.h See INSTALL for instructions on how to install libpng. diff --git a/third_party/libpng/README.chromium b/third_party/libpng/README.chromium index 5549159..8ee1a0a 100644 --- a/third_party/libpng/README.chromium +++ b/third_party/libpng/README.chromium @@ -5,6 +5,6 @@ Our custom configuration options are defined in pngusr.h. This was previously called mozpngconf.h, which was copied from Mozilla and modified by Apple (hence the webkit_* names). -Updated to 1.2.43, no changes to the source files but all unneeded files +Updated to 1.2.44, no changes to the source files but all unneeded files stripped. diff --git a/third_party/libpng/png.h b/third_party/libpng/png.h index 7a27c6f..1ed5426 100644 --- a/third_party/libpng/png.h +++ b/third_party/libpng/png.h @@ -259,6 +259,9 @@ * 1.2.43rc01-02 13 10243 12.so.0.43[.0] * 1.0.53 10 10053 10.so.0.53[.0] * 1.2.43 13 10243 12.so.0.43[.0] + * 1.2.44beta01-03 13 10244 12.so.0.44[.0] + * 1.2.44rc01-03 13 10244 12.so.0.44[.0] + * 1.2.44 13 10244 12.so.0.44[.0] * * Henceforth the source version will match the shared-library major * and minor numbers; the shared-library major version number will be diff --git a/third_party/libpng/pngpread.c b/third_party/libpng/pngpread.c index 52f41a2..48608f6 100644 --- a/third_party/libpng/pngpread.c +++ b/third_party/libpng/pngpread.c @@ -1,7 +1,7 @@ /* pngpread.c - read a png file in push mode * - * Last changed in libpng 1.2.43 [February 25, 2010] + * Last changed in libpng 1.2.44 [June 26, 2010] * Copyright (c) 1998-2010 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) @@ -783,8 +783,7 @@ png_push_read_IDAT(png_structp png_ptr) png_calculate_crc(png_ptr, png_ptr->save_buffer_ptr, save_size); - if (!(png_ptr->flags & PNG_FLAG_ZLIB_FINISHED)) - png_process_IDAT_data(png_ptr, png_ptr->save_buffer_ptr, save_size); + png_process_IDAT_data(png_ptr, png_ptr->save_buffer_ptr, save_size); png_ptr->idat_size -= save_size; png_ptr->buffer_size -= save_size; @@ -807,8 +806,7 @@ png_push_read_IDAT(png_structp png_ptr) save_size = png_ptr->current_buffer_size; png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size); - if (!(png_ptr->flags & PNG_FLAG_ZLIB_FINISHED)) - png_process_IDAT_data(png_ptr, png_ptr->current_buffer_ptr, save_size); + png_process_IDAT_data(png_ptr, png_ptr->current_buffer_ptr, save_size); png_ptr->idat_size -= save_size; png_ptr->buffer_size -= save_size; @@ -833,62 +831,101 @@ void /* PRIVATE */ png_process_IDAT_data(png_structp png_ptr, png_bytep buffer, png_size_t buffer_length) { - int ret; - - if ((png_ptr->flags & PNG_FLAG_ZLIB_FINISHED) && buffer_length) - png_error(png_ptr, "Extra compression data"); + /* The caller checks for a non-zero buffer length. */ + if (!(buffer_length > 0) || buffer == NULL) + png_error(png_ptr, "No IDAT data (internal error)"); + /* This routine must process all the data it has been given + * before returning, calling the row callback as required to + * handle the uncompressed results. + */ png_ptr->zstream.next_in = buffer; png_ptr->zstream.avail_in = (uInt)buffer_length; - for (;;) + + /* Keep going until the decompressed data is all processed + * or the stream marked as finished. + */ + while (png_ptr->zstream.avail_in > 0 && + !(png_ptr->flags & PNG_FLAG_ZLIB_FINISHED)) { - ret = inflate(&png_ptr->zstream, Z_PARTIAL_FLUSH); - if (ret != Z_OK) + int ret; + /* We have data for zlib, but we must check that zlib + * has somewhere to put the results. It doesn't matter + * if we don't expect any results -- it may be the input + * data is just the LZ end code. + */ + if (!(png_ptr->zstream.avail_out > 0)) { - if (ret == Z_STREAM_END) - { - if (png_ptr->zstream.avail_in) - png_error(png_ptr, "Extra compressed data"); - - if (!(png_ptr->zstream.avail_out)) - { - png_push_process_row(png_ptr); - } + png_ptr->zstream.avail_out = + (uInt) PNG_ROWBYTES(png_ptr->pixel_depth, + png_ptr->iwidth) + 1; + png_ptr->zstream.next_out = png_ptr->row_buf; + } - png_ptr->mode |= PNG_AFTER_IDAT; - png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED; - break; - } - else if (ret == Z_BUF_ERROR) - break; + /* Using Z_SYNC_FLUSH here means that an unterminated + * LZ stream can still be handled (a stream with a missing + * end code), otherwise (Z_NO_FLUSH) a future zlib + * implementation might defer output and, therefore, + * change the current behavior. (See comments in inflate.c + * for why this doesn't happen at present with zlib 1.2.5.) + */ + ret = inflate(&png_ptr->zstream, Z_SYNC_FLUSH); + /* Check for any failure before proceeding. */ + if (ret != Z_OK && ret != Z_STREAM_END) + { + /* Terminate the decompression. */ + png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED; + /* This may be a truncated stream (missing or + * damaged end code). Treat that as a warning. + */ + if (png_ptr->row_number >= png_ptr->num_rows || + png_ptr->pass > 6) + png_warning(png_ptr, "Truncated compressed data in IDAT"); else - png_error(png_ptr, "Decompression Error"); + png_error(png_ptr, "Decompression error in IDAT"); + + /* Skip the check on unprocessed input */ + return; } - if (!(png_ptr->zstream.avail_out)) + + /* Did inflate output any data? */ + if (png_ptr->zstream.next_out != png_ptr->row_buf) { - if (( -#ifdef PNG_READ_INTERLACING_SUPPORTED - png_ptr->interlaced && png_ptr->pass > 6) || - (!png_ptr->interlaced && -#endif - png_ptr->row_number == png_ptr->num_rows)) + /* Is this unexpected data after the last row? + * If it is, artificially terminate the LZ output + * here. + */ + if (png_ptr->row_number >= png_ptr->num_rows || + png_ptr->pass > 6) { - if (png_ptr->zstream.avail_in) - png_warning(png_ptr, "Too much data in IDAT chunks"); + /* Extra data. */ + png_warning(png_ptr, "Extra compressed data in IDAT"); png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED; - break; + /* Do no more processing; skip the unprocessed + * input check below. + */ + return; } - png_push_process_row(png_ptr); - png_ptr->zstream.avail_out = - (uInt) PNG_ROWBYTES(png_ptr->pixel_depth, - png_ptr->iwidth) + 1; - png_ptr->zstream.next_out = png_ptr->row_buf; + + /* Do we have a complete row? */ + if (png_ptr->zstream.avail_out == 0) + png_push_process_row(png_ptr); } else break; + /* And check for the end of the stream. */ + if (ret == Z_STREAM_END) + png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED; } + + /* All the data should have been processed, if anything + * is left at this point we have bytes of IDAT data + * after the zlib end code. + */ + if (png_ptr->zstream.avail_in > 0) + png_warning(png_ptr, "Extra compression data"); } void /* PRIVATE */ diff --git a/third_party/libpng/pngread.c b/third_party/libpng/pngread.c index bb62efb..6207624 100644 --- a/third_party/libpng/pngread.c +++ b/third_party/libpng/pngread.c @@ -1,8 +1,8 @@ /* pngread.c - read a PNG file * - * Last changed in libpng 1.2.43 [February 25, 2010] - * Copyright (c) 1998-2009 Glenn Randers-Pehrson + * Last changed in libpng 1.2.44 [June 26, 2010] + * Copyright (c) 1998-2010 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * diff --git a/third_party/libpng/pngrutil.c b/third_party/libpng/pngrutil.c index 9fd48be..a2b39cc2 100644 --- a/third_party/libpng/pngrutil.c +++ b/third_party/libpng/pngrutil.c @@ -1,8 +1,8 @@ /* pngrutil.c - utilities to read a PNG file * - * Last changed in libpng 1.2.43 [February 25, 2010] - * Copyright (c) 1998-2009 Glenn Randers-Pehrson + * Last changed in libpng 1.2.44 [June 26, 2010] + * Copyright (c) 1998-2010 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -271,12 +271,14 @@ png_inflate(png_structp png_ptr, const png_byte *data, png_size_t size, * buffer if available. */ { - char *msg, umsg[52]; + PNG_CONST char *msg; if (png_ptr->zstream.msg != 0) msg = png_ptr->zstream.msg; else { #if defined(PNG_STDIO_SUPPORTED) && !defined(_WIN32_WCE) + char umsg[52]; + switch (ret) { case Z_BUF_ERROR: @@ -341,9 +343,11 @@ png_decompress_chunk(png_structp png_ptr, int comp_type, if (png_ptr->user_chunk_malloc_max && (prefix_size + expanded_size >= png_ptr->user_chunk_malloc_max - 1)) #else +#ifdef PNG_USER_CHUNK_MALLOC_MAX if ((PNG_USER_CHUNK_MALLOC_MAX > 0) && prefix_size + expanded_size >= PNG_USER_CHUNK_MALLOC_MAX - 1) #endif +#endif png_warning(png_ptr, "Exceeded size limit while expanding chunk"); /* If the size is zero either there was an error and a message @@ -351,7 +355,11 @@ png_decompress_chunk(png_structp png_ptr, int comp_type, * and we have nothing to do - the code will exit through the * error case below. */ - else if (expanded_size > 0) +#if defined(PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED) || \ + defined(PNG_USER_CHUNK_MALLOC_MAX) + else +#endif + if (expanded_size > 0 { /* Success (maybe) - really uncompress the chunk. */ png_size_t new_size = 0; @@ -385,10 +393,11 @@ png_decompress_chunk(png_structp png_ptr, int comp_type, else /* if (comp_type != PNG_COMPRESSION_TYPE_BASE) */ { +#if defined(PNG_STDIO_SUPPORTED) && !defined(_WIN32_WCE) char umsg[50]; -#if defined(PNG_STDIO_SUPPORTED) && !defined(_WIN32_WCE) - png_snprintf(umsg, sizeof umsg, "Unknown zTXt compression type %d", comp_type); + png_snprintf(umsg, sizeof umsg, "Unknown zTXt compression type %d", + comp_type); png_warning(png_ptr, umsg); #else png_warning(png_ptr, "Unknown zTXt compression type"); @@ -907,9 +916,11 @@ png_handle_cHRM(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) green_x, green_y, blue_x, blue_y); #else fprintf(stderr, "wx=%ld, wy=%ld, rx=%ld, ry=%ld\n", - int_x_white, int_y_white, int_x_red, int_y_red); + (long)int_x_white, (long)int_y_white, + (long)int_x_red, (long)int_y_red); fprintf(stderr, "gx=%ld, gy=%ld, bx=%ld, by=%ld\n", - int_x_green, int_y_green, int_x_blue, int_y_blue); + (long)int_x_green, (long)int_y_green, + (long)int_x_blue, (long)int_y_blue); #endif #endif /* PNG_CONSOLE_IO_SUPPORTED */ } @@ -1807,6 +1818,7 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) if (png_ptr->chunkdata == NULL) { png_warning(png_ptr, "Out of memory while processing sCAL chunk"); + png_crc_finish(png_ptr, length); return; } slength = (png_size_t)length; @@ -1828,6 +1840,8 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) if (*vp) { png_warning(png_ptr, "malformed width string in sCAL chunk"); + png_free(png_ptr, png_ptr->chunkdata); + png_ptr->chunkdata = NULL; return; } #else @@ -1849,8 +1863,7 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) if (png_ptr->chunkdata + slength < ep) { png_warning(png_ptr, "Truncated sCAL chunk"); -#if defined(PNG_FIXED_POINT_SUPPORTED) && \ - !defined(PNG_FLOATING_POINT_SUPPORTED) +#if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED) png_free(png_ptr, swidth); #endif png_free(png_ptr, png_ptr->chunkdata); @@ -1863,6 +1876,11 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) if (*vp) { png_warning(png_ptr, "malformed height string in sCAL chunk"); + png_free(png_ptr, png_ptr->chunkdata); + png_ptr->chunkdata = NULL; +#if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED) + png_free(png_ptr, swidth); +#endif return; } #else @@ -1871,6 +1889,11 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) if (sheight == NULL) { png_warning(png_ptr, "Out of memory while processing sCAL chunk height"); + png_free(png_ptr, png_ptr->chunkdata); + png_ptr->chunkdata = NULL; +#if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED) + png_free(png_ptr, swidth); +#endif return; } png_memcpy(sheight, ep, (png_size_t)png_strlen(ep)); |