From 8e783a6b2c165b5d3dcdf9e4d4c2526ac18c77c8 Mon Sep 17 00:00:00 2001 From: dsinclair Date: Tue, 6 Sep 2016 08:56:46 -0700 Subject: Avoid leaking params if any entry bad. The call to png_set_pCAL can call into png_error for several reasons. This CL verifies that the params are valid before calling into png_set_pCAL. BUG=chromium:636214 Review-Url: https://codereview.chromium.org/2292313003 --- .../libpng16/0003-check-errors-in-set-pcal.patch | 47 ++++++++++++++++++++++ third_party/libpng16/README.pdfium | 1 + third_party/libpng16/pngset.c | 22 +++++++--- 3 files changed, 65 insertions(+), 5 deletions(-) create mode 100644 third_party/libpng16/0003-check-errors-in-set-pcal.patch diff --git a/third_party/libpng16/0003-check-errors-in-set-pcal.patch b/third_party/libpng16/0003-check-errors-in-set-pcal.patch new file mode 100644 index 0000000000..58e27ba623 --- /dev/null +++ b/third_party/libpng16/0003-check-errors-in-set-pcal.patch @@ -0,0 +1,47 @@ +diff --git a/pngset.c b/pngset.c +index cccd9cd..83d6ce2 100644 +--- a/pngset.c ++++ b/pngset.c +@@ -283,17 +283,29 @@ png_set_pCAL(png_const_structrp png_ptr, png_inforpinfo_ptr, + + /* Check that the type matches the specification. */ + if (type < 0 || type > 3) +- png_error(png_ptr, "Invalid pCAL equation type"); ++ { ++ png_chunk_report(png_ptr, "Invalid pCAL equation type", ++ PNG_CHUNK_WRITE_ERROR); ++ return; ++ } + + if (nparams < 0 || nparams > 255) +- png_error(png_ptr, "Invalid pCAL parameter count"); ++ { ++ png_chunk_report(png_ptr, "Invalid pCAL parameter count", ++ PNG_CHUNK_WRITE_ERROR); ++ return; ++ } + + /* Validate params[nparams] */ + for (i=0; ipcal_purpose = png_voidcast(png_charp, +@@ -301,8 +313,8 @@ png_set_pCAL(png_const_structrp png_ptr, png_inforpinfo_ptr, + + if (info_ptr->pcal_purpose == NULL) + { +- png_warning(png_ptr, "Insufficient memory for pCAL purpose"); +- ++ png_chunk_report(png_ptr, "Insufficient memory for pCAL purpose", ++ PNG_CHUNK_WRITE_ERROR); + return; + } diff --git a/third_party/libpng16/README.pdfium b/third_party/libpng16/README.pdfium index 733867b782..47af52f8b6 100644 --- a/third_party/libpng16/README.pdfium +++ b/third_party/libpng16/README.pdfium @@ -17,3 +17,4 @@ pnglibconf.h: a copy of libpng's scripts/pnglibconf.h.prebuilt. pngprefix.h: manually-created redefinitions to avoid conflicts with Chromium. 0000-build-config.patch: Local build configuration changes. 0002-static-png-gt.patch: Unconditionally use static png_gt() in png.c to avoid compilation warning. +0003-check-errors-in-set-pcal.patch: Backported github.com/glennrp/libpng/pull/135 diff --git a/third_party/libpng16/pngset.c b/third_party/libpng16/pngset.c index 303328f87e..1c51270cc5 100644 --- a/third_party/libpng16/pngset.c +++ b/third_party/libpng16/pngset.c @@ -283,17 +283,29 @@ png_set_pCAL(png_const_structrp png_ptr, png_inforp info_ptr, /* Check that the type matches the specification. */ if (type < 0 || type > 3) - png_error(png_ptr, "Invalid pCAL equation type"); + { + png_chunk_report(png_ptr, "Invalid pCAL equation type", + PNG_CHUNK_WRITE_ERROR); + return; + } if (nparams < 0 || nparams > 255) - png_error(png_ptr, "Invalid pCAL parameter count"); + { + png_chunk_report(png_ptr, "Invalid pCAL parameter count", + PNG_CHUNK_WRITE_ERROR); + return; + } /* Validate params[nparams] */ for (i=0; ipcal_purpose = png_voidcast(png_charp, @@ -301,8 +313,8 @@ png_set_pCAL(png_const_structrp png_ptr, png_inforp info_ptr, if (info_ptr->pcal_purpose == NULL) { - png_warning(png_ptr, "Insufficient memory for pCAL purpose"); - + png_chunk_report(png_ptr, "Insufficient memory for pCAL purpose", + PNG_CHUNK_WRITE_ERROR); return; } -- cgit v1.2.3