summaryrefslogtreecommitdiffstats
path: root/third_party/libpng
diff options
context:
space:
mode:
authormhm@chromium.org <mhm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2010-06-26 18:03:28 +0000
committermhm@chromium.org <mhm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2010-06-26 18:03:28 +0000
commit6f7a602151b8a9c4437f9756766782d8b0f8196f (patch)
tree511c03bb9c1cdae04872c14069ae5c7cd72e7da7 /third_party/libpng
parent01143a0d7e28b08783048b5fb6b940731d56cf75 (diff)
downloadchromium_src-6f7a602151b8a9c4437f9756766782d8b0f8196f.zip
chromium_src-6f7a602151b8a9c4437f9756766782d8b0f8196f.tar.gz
chromium_src-6f7a602151b8a9c4437f9756766782d8b0f8196f.tar.bz2
Update libpng to version 1.2.44
According to libpng website, this will solve the vulnerability ID CVE-2010-1205. BUG=47633 TEST=None Review URL: http://codereview.chromium.org/2835021 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@50937 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'third_party/libpng')
-rw-r--r--third_party/libpng/LICENSE2
-rw-r--r--third_party/libpng/README2
-rw-r--r--third_party/libpng/README.chromium2
-rw-r--r--third_party/libpng/png.h3
-rw-r--r--third_party/libpng/pngpread.c123
-rw-r--r--third_party/libpng/pngread.c4
-rw-r--r--third_party/libpng/pngrutil.c43
7 files changed, 121 insertions, 58 deletions
diff --git a/third_party/libpng/LICENSE b/third_party/libpng/LICENSE
index 8521813..662cba9 100644
--- a/third_party/libpng/LICENSE
+++ b/third_party/libpng/LICENSE
@@ -10,7 +10,7 @@ this sentence.
This code is released under the libpng license.
-libpng versions 1.2.6, August 15, 2004, through 1.2.43, February 25, 2010, are
+libpng versions 1.2.6, August 15, 2004, through 1.2.44, June 26, 2010, are
Copyright (c) 2004, 2006-2009 Glenn Randers-Pehrson, and are
distributed according to the same disclaimer and license as libpng-1.2.5
with the following individual added to the list of Contributing Authors
diff --git a/third_party/libpng/README b/third_party/libpng/README
index 31949f3..01f5d4c 100644
--- a/third_party/libpng/README
+++ b/third_party/libpng/README
@@ -1,4 +1,4 @@
-README for libpng version 1.2.43 - February 25, 2010 (shared library 12.0)
+README for libpng version 1.2.44 - June 26, 2010 (shared library 12.0)
See the note about version numbers near the top of png.h
See INSTALL for instructions on how to install libpng.
diff --git a/third_party/libpng/README.chromium b/third_party/libpng/README.chromium
index 5549159..8ee1a0a 100644
--- a/third_party/libpng/README.chromium
+++ b/third_party/libpng/README.chromium
@@ -5,6 +5,6 @@ Our custom configuration options are defined in pngusr.h. This was previously
called mozpngconf.h, which was copied from Mozilla and modified by Apple (hence
the webkit_* names).
-Updated to 1.2.43, no changes to the source files but all unneeded files
+Updated to 1.2.44, no changes to the source files but all unneeded files
stripped.
diff --git a/third_party/libpng/png.h b/third_party/libpng/png.h
index 7a27c6f..1ed5426 100644
--- a/third_party/libpng/png.h
+++ b/third_party/libpng/png.h
@@ -259,6 +259,9 @@
* 1.2.43rc01-02 13 10243 12.so.0.43[.0]
* 1.0.53 10 10053 10.so.0.53[.0]
* 1.2.43 13 10243 12.so.0.43[.0]
+ * 1.2.44beta01-03 13 10244 12.so.0.44[.0]
+ * 1.2.44rc01-03 13 10244 12.so.0.44[.0]
+ * 1.2.44 13 10244 12.so.0.44[.0]
*
* Henceforth the source version will match the shared-library major
* and minor numbers; the shared-library major version number will be
diff --git a/third_party/libpng/pngpread.c b/third_party/libpng/pngpread.c
index 52f41a2..48608f6 100644
--- a/third_party/libpng/pngpread.c
+++ b/third_party/libpng/pngpread.c
@@ -1,7 +1,7 @@
/* pngpread.c - read a png file in push mode
*
- * Last changed in libpng 1.2.43 [February 25, 2010]
+ * Last changed in libpng 1.2.44 [June 26, 2010]
* Copyright (c) 1998-2010 Glenn Randers-Pehrson
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -783,8 +783,7 @@ png_push_read_IDAT(png_structp png_ptr)
png_calculate_crc(png_ptr, png_ptr->save_buffer_ptr, save_size);
- if (!(png_ptr->flags & PNG_FLAG_ZLIB_FINISHED))
- png_process_IDAT_data(png_ptr, png_ptr->save_buffer_ptr, save_size);
+ png_process_IDAT_data(png_ptr, png_ptr->save_buffer_ptr, save_size);
png_ptr->idat_size -= save_size;
png_ptr->buffer_size -= save_size;
@@ -807,8 +806,7 @@ png_push_read_IDAT(png_structp png_ptr)
save_size = png_ptr->current_buffer_size;
png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size);
- if (!(png_ptr->flags & PNG_FLAG_ZLIB_FINISHED))
- png_process_IDAT_data(png_ptr, png_ptr->current_buffer_ptr, save_size);
+ png_process_IDAT_data(png_ptr, png_ptr->current_buffer_ptr, save_size);
png_ptr->idat_size -= save_size;
png_ptr->buffer_size -= save_size;
@@ -833,62 +831,101 @@ void /* PRIVATE */
png_process_IDAT_data(png_structp png_ptr, png_bytep buffer,
png_size_t buffer_length)
{
- int ret;
-
- if ((png_ptr->flags & PNG_FLAG_ZLIB_FINISHED) && buffer_length)
- png_error(png_ptr, "Extra compression data");
+ /* The caller checks for a non-zero buffer length. */
+ if (!(buffer_length > 0) || buffer == NULL)
+ png_error(png_ptr, "No IDAT data (internal error)");
+ /* This routine must process all the data it has been given
+ * before returning, calling the row callback as required to
+ * handle the uncompressed results.
+ */
png_ptr->zstream.next_in = buffer;
png_ptr->zstream.avail_in = (uInt)buffer_length;
- for (;;)
+
+ /* Keep going until the decompressed data is all processed
+ * or the stream marked as finished.
+ */
+ while (png_ptr->zstream.avail_in > 0 &&
+ !(png_ptr->flags & PNG_FLAG_ZLIB_FINISHED))
{
- ret = inflate(&png_ptr->zstream, Z_PARTIAL_FLUSH);
- if (ret != Z_OK)
+ int ret;
+ /* We have data for zlib, but we must check that zlib
+ * has somewhere to put the results. It doesn't matter
+ * if we don't expect any results -- it may be the input
+ * data is just the LZ end code.
+ */
+ if (!(png_ptr->zstream.avail_out > 0))
{
- if (ret == Z_STREAM_END)
- {
- if (png_ptr->zstream.avail_in)
- png_error(png_ptr, "Extra compressed data");
-
- if (!(png_ptr->zstream.avail_out))
- {
- png_push_process_row(png_ptr);
- }
+ png_ptr->zstream.avail_out =
+ (uInt) PNG_ROWBYTES(png_ptr->pixel_depth,
+ png_ptr->iwidth) + 1;
+ png_ptr->zstream.next_out = png_ptr->row_buf;
+ }
- png_ptr->mode |= PNG_AFTER_IDAT;
- png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED;
- break;
- }
- else if (ret == Z_BUF_ERROR)
- break;
+ /* Using Z_SYNC_FLUSH here means that an unterminated
+ * LZ stream can still be handled (a stream with a missing
+ * end code), otherwise (Z_NO_FLUSH) a future zlib
+ * implementation might defer output and, therefore,
+ * change the current behavior. (See comments in inflate.c
+ * for why this doesn't happen at present with zlib 1.2.5.)
+ */
+ ret = inflate(&png_ptr->zstream, Z_SYNC_FLUSH);
+ /* Check for any failure before proceeding. */
+ if (ret != Z_OK && ret != Z_STREAM_END)
+ {
+ /* Terminate the decompression. */
+ png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED;
+ /* This may be a truncated stream (missing or
+ * damaged end code). Treat that as a warning.
+ */
+ if (png_ptr->row_number >= png_ptr->num_rows ||
+ png_ptr->pass > 6)
+ png_warning(png_ptr, "Truncated compressed data in IDAT");
else
- png_error(png_ptr, "Decompression Error");
+ png_error(png_ptr, "Decompression error in IDAT");
+
+ /* Skip the check on unprocessed input */
+ return;
}
- if (!(png_ptr->zstream.avail_out))
+
+ /* Did inflate output any data? */
+ if (png_ptr->zstream.next_out != png_ptr->row_buf)
{
- if ((
-#ifdef PNG_READ_INTERLACING_SUPPORTED
- png_ptr->interlaced && png_ptr->pass > 6) ||
- (!png_ptr->interlaced &&
-#endif
- png_ptr->row_number == png_ptr->num_rows))
+ /* Is this unexpected data after the last row?
+ * If it is, artificially terminate the LZ output
+ * here.
+ */
+ if (png_ptr->row_number >= png_ptr->num_rows ||
+ png_ptr->pass > 6)
{
- if (png_ptr->zstream.avail_in)
- png_warning(png_ptr, "Too much data in IDAT chunks");
+ /* Extra data. */
+ png_warning(png_ptr, "Extra compressed data in IDAT");
png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED;
- break;
+ /* Do no more processing; skip the unprocessed
+ * input check below.
+ */
+ return;
}
- png_push_process_row(png_ptr);
- png_ptr->zstream.avail_out =
- (uInt) PNG_ROWBYTES(png_ptr->pixel_depth,
- png_ptr->iwidth) + 1;
- png_ptr->zstream.next_out = png_ptr->row_buf;
+
+ /* Do we have a complete row? */
+ if (png_ptr->zstream.avail_out == 0)
+ png_push_process_row(png_ptr);
}
else
break;
+ /* And check for the end of the stream. */
+ if (ret == Z_STREAM_END)
+ png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED;
}
+
+ /* All the data should have been processed, if anything
+ * is left at this point we have bytes of IDAT data
+ * after the zlib end code.
+ */
+ if (png_ptr->zstream.avail_in > 0)
+ png_warning(png_ptr, "Extra compression data");
}
void /* PRIVATE */
diff --git a/third_party/libpng/pngread.c b/third_party/libpng/pngread.c
index bb62efb..6207624 100644
--- a/third_party/libpng/pngread.c
+++ b/third_party/libpng/pngread.c
@@ -1,8 +1,8 @@
/* pngread.c - read a PNG file
*
- * Last changed in libpng 1.2.43 [February 25, 2010]
- * Copyright (c) 1998-2009 Glenn Randers-Pehrson
+ * Last changed in libpng 1.2.44 [June 26, 2010]
+ * Copyright (c) 1998-2010 Glenn Randers-Pehrson
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
*
diff --git a/third_party/libpng/pngrutil.c b/third_party/libpng/pngrutil.c
index 9fd48be..a2b39cc2 100644
--- a/third_party/libpng/pngrutil.c
+++ b/third_party/libpng/pngrutil.c
@@ -1,8 +1,8 @@
/* pngrutil.c - utilities to read a PNG file
*
- * Last changed in libpng 1.2.43 [February 25, 2010]
- * Copyright (c) 1998-2009 Glenn Randers-Pehrson
+ * Last changed in libpng 1.2.44 [June 26, 2010]
+ * Copyright (c) 1998-2010 Glenn Randers-Pehrson
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
*
@@ -271,12 +271,14 @@ png_inflate(png_structp png_ptr, const png_byte *data, png_size_t size,
* buffer if available.
*/
{
- char *msg, umsg[52];
+ PNG_CONST char *msg;
if (png_ptr->zstream.msg != 0)
msg = png_ptr->zstream.msg;
else
{
#if defined(PNG_STDIO_SUPPORTED) && !defined(_WIN32_WCE)
+ char umsg[52];
+
switch (ret)
{
case Z_BUF_ERROR:
@@ -341,9 +343,11 @@ png_decompress_chunk(png_structp png_ptr, int comp_type,
if (png_ptr->user_chunk_malloc_max &&
(prefix_size + expanded_size >= png_ptr->user_chunk_malloc_max - 1))
#else
+#ifdef PNG_USER_CHUNK_MALLOC_MAX
if ((PNG_USER_CHUNK_MALLOC_MAX > 0) &&
prefix_size + expanded_size >= PNG_USER_CHUNK_MALLOC_MAX - 1)
#endif
+#endif
png_warning(png_ptr, "Exceeded size limit while expanding chunk");
/* If the size is zero either there was an error and a message
@@ -351,7 +355,11 @@ png_decompress_chunk(png_structp png_ptr, int comp_type,
* and we have nothing to do - the code will exit through the
* error case below.
*/
- else if (expanded_size > 0)
+#if defined(PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED) || \
+ defined(PNG_USER_CHUNK_MALLOC_MAX)
+ else
+#endif
+ if (expanded_size > 0
{
/* Success (maybe) - really uncompress the chunk. */
png_size_t new_size = 0;
@@ -385,10 +393,11 @@ png_decompress_chunk(png_structp png_ptr, int comp_type,
else /* if (comp_type != PNG_COMPRESSION_TYPE_BASE) */
{
+#if defined(PNG_STDIO_SUPPORTED) && !defined(_WIN32_WCE)
char umsg[50];
-#if defined(PNG_STDIO_SUPPORTED) && !defined(_WIN32_WCE)
- png_snprintf(umsg, sizeof umsg, "Unknown zTXt compression type %d", comp_type);
+ png_snprintf(umsg, sizeof umsg, "Unknown zTXt compression type %d",
+ comp_type);
png_warning(png_ptr, umsg);
#else
png_warning(png_ptr, "Unknown zTXt compression type");
@@ -907,9 +916,11 @@ png_handle_cHRM(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
green_x, green_y, blue_x, blue_y);
#else
fprintf(stderr, "wx=%ld, wy=%ld, rx=%ld, ry=%ld\n",
- int_x_white, int_y_white, int_x_red, int_y_red);
+ (long)int_x_white, (long)int_y_white,
+ (long)int_x_red, (long)int_y_red);
fprintf(stderr, "gx=%ld, gy=%ld, bx=%ld, by=%ld\n",
- int_x_green, int_y_green, int_x_blue, int_y_blue);
+ (long)int_x_green, (long)int_y_green,
+ (long)int_x_blue, (long)int_y_blue);
#endif
#endif /* PNG_CONSOLE_IO_SUPPORTED */
}
@@ -1807,6 +1818,7 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
if (png_ptr->chunkdata == NULL)
{
png_warning(png_ptr, "Out of memory while processing sCAL chunk");
+ png_crc_finish(png_ptr, length);
return;
}
slength = (png_size_t)length;
@@ -1828,6 +1840,8 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
if (*vp)
{
png_warning(png_ptr, "malformed width string in sCAL chunk");
+ png_free(png_ptr, png_ptr->chunkdata);
+ png_ptr->chunkdata = NULL;
return;
}
#else
@@ -1849,8 +1863,7 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
if (png_ptr->chunkdata + slength < ep)
{
png_warning(png_ptr, "Truncated sCAL chunk");
-#if defined(PNG_FIXED_POINT_SUPPORTED) && \
- !defined(PNG_FLOATING_POINT_SUPPORTED)
+#if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED)
png_free(png_ptr, swidth);
#endif
png_free(png_ptr, png_ptr->chunkdata);
@@ -1863,6 +1876,11 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
if (*vp)
{
png_warning(png_ptr, "malformed height string in sCAL chunk");
+ png_free(png_ptr, png_ptr->chunkdata);
+ png_ptr->chunkdata = NULL;
+#if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED)
+ png_free(png_ptr, swidth);
+#endif
return;
}
#else
@@ -1871,6 +1889,11 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
if (sheight == NULL)
{
png_warning(png_ptr, "Out of memory while processing sCAL chunk height");
+ png_free(png_ptr, png_ptr->chunkdata);
+ png_ptr->chunkdata = NULL;
+#if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED)
+ png_free(png_ptr, swidth);
+#endif
return;
}
png_memcpy(sheight, ep, (png_size_t)png_strlen(ep));