1 diff --git a/png.c b/png.c 2 index 35e14f63d..01d8d9bae 100644 3 --- a/png.c 4 +++ b/png.c 5 @@ -1931,8 +1931,8 @@ png_colorspace_set_sRGB(png_const_structrp png_ptr, png_colorspacerp colorspace, 6 static const png_byte D50_nCIEXYZ[12] = 7 { 0x00, 0x00, 0xf6, 0xd6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d }; 8 9 -int /* PRIVATE */ 10 -png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace, 11 +static int /* bool */ 12 +icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace, 13 png_const_charp name, png_uint_32 profile_length) 14 { 15 if (profile_length < 132) 16 @@ -1942,6 +1942,40 @@ png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace, 17 return 1; 18 } 19 20 +#ifdef PNG_READ_iCCP_SUPPORTED 21 +int /* PRIVATE */ 22 +png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace, 23 + png_const_charp name, png_uint_32 profile_length) 24 +{ 25 + if (!icc_check_length(png_ptr, colorspace, name, profile_length)) 26 + return 0; 27 + 28 + /* This needs to be here because the 'normal' check is in 29 + * png_decompress_chunk, yet this happens after the attempt to 30 + * png_malloc_base the required data. We only need this on read; on write 31 + * the caller supplies the profile buffer so libpng doesn't allocate it. See 32 + * the call to icc_check_length below (the write case). 33 + */ 34 +# ifdef PNG_SET_USER_LIMITS_SUPPORTED 35 + else if (png_ptr->user_chunk_malloc_max > 0 && 36 + png_ptr->user_chunk_malloc_max < profile_length) 37 + return png_icc_profile_error(png_ptr, colorspace, name, profile_length, 38 + "exceeds application limits"); 39 +# elif PNG_USER_CHUNK_MALLOC_MAX > 0 40 + else if (PNG_USER_CHUNK_MALLOC_MAX < profile_length) 41 + return png_icc_profile_error(png_ptr, colorspace, name, profile_length, 42 + "exceeds libpng limits"); 43 +# else /* !SET_USER_LIMITS */ 44 + /* This will get compiled out on all 32-bit and better systems. */ 45 + else if (PNG_SIZE_MAX < profile_length) 46 + return png_icc_profile_error(png_ptr, colorspace, name, profile_length, 47 + "exceeds system limits"); 48 +# endif /* !SET_USER_LIMITS */ 49 + 50 + return 1; 51 +} 52 +#endif /* READ_iCCP */ 53 + 54 int /* PRIVATE */ 55 png_icc_check_header(png_const_structrp png_ptr, png_colorspacerp colorspace, 56 png_const_charp name, png_uint_32 profile_length, 57 @@ -2379,7 +2413,7 @@ png_colorspace_set_ICC(png_const_structrp png_ptr, png_colorspacerp colorspace, 58 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0) 59 return 0; 60 61 - if (png_icc_check_length(png_ptr, colorspace, name, profile_length) != 0 && 62 + if (icc_check_length(png_ptr, colorspace, name, profile_length) != 0 && 63 png_icc_check_header(png_ptr, colorspace, name, profile_length, profile, 64 color_type) != 0 && 65 png_icc_check_tag_table(png_ptr, colorspace, name, profile_length, 66 diff --git a/pngpriv.h b/pngpriv.h 67 index 9ea023fea..633671352 100644 68 --- a/pngpriv.h 69 +++ b/pngpriv.h 70 @@ -1541,9 +1541,11 @@ PNG_INTERNAL_FUNCTION(int,png_colorspace_set_ICC,(png_const_structrp png_ptr, 71 /* The 'name' is used for information only */ 72 73 /* Routines for checking parts of an ICC profile. */ 74 +#ifdef PNG_READ_iCCP_SUPPORTED 75 PNG_INTERNAL_FUNCTION(int,png_icc_check_length,(png_const_structrp png_ptr, 76 png_colorspacerp colorspace, png_const_charp name, 77 png_uint_32 profile_length), PNG_EMPTY); 78 +#endif /* READ_iCCP */ 79 PNG_INTERNAL_FUNCTION(int,png_icc_check_header,(png_const_structrp png_ptr, 80 png_colorspacerp colorspace, png_const_charp name, 81 png_uint_32 profile_length, 82
