mirror of
https://github.com/openharmony/third_party_libpng.git
synced 2026-07-01 09:25:04 -04:00
new: 新建文件 CVE-2026-33416.patch
Signed-off-by: gcw_5Q40SBlf <guokuan1@h-partners.com>
This commit is contained in:
@@ -0,0 +1,208 @@
|
||||
diff --git a/pngread.c b/pngread.c
|
||||
index 948dc9a..691aced 100644
|
||||
--- a/pngread.c
|
||||
+++ b/pngread.c
|
||||
@@ -963,21 +963,19 @@ png_read_destroy(png_structrp png_ptr)
|
||||
png_ptr->quantize_index = NULL;
|
||||
#endif
|
||||
|
||||
- if ((png_ptr->free_me & PNG_FREE_PLTE) != 0)
|
||||
- {
|
||||
- png_zfree(png_ptr, png_ptr->palette);
|
||||
- png_ptr->palette = NULL;
|
||||
- }
|
||||
- png_ptr->free_me &= ~PNG_FREE_PLTE;
|
||||
+ /* png_ptr->palette is always independently allocated (not aliased
|
||||
+ * with info_ptr->palette), so free it unconditionally.
|
||||
+ */
|
||||
+ png_free(png_ptr, png_ptr->palette);
|
||||
+ png_ptr->palette = NULL;
|
||||
|
||||
#if defined(PNG_tRNS_SUPPORTED) || \
|
||||
defined(PNG_READ_EXPAND_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED)
|
||||
- if ((png_ptr->free_me & PNG_FREE_TRNS) != 0)
|
||||
- {
|
||||
- png_free(png_ptr, png_ptr->trans_alpha);
|
||||
- png_ptr->trans_alpha = NULL;
|
||||
- }
|
||||
- png_ptr->free_me &= ~PNG_FREE_TRNS;
|
||||
+ /* png_ptr->trans_alpha is always independently allocated (not aliased
|
||||
+ * with info_ptr->trans_alpha), so free it unconditionally.
|
||||
+ */
|
||||
+ png_free(png_ptr, png_ptr->trans_alpha);
|
||||
+ png_ptr->trans_alpha = NULL;
|
||||
#endif
|
||||
|
||||
inflateEnd(&png_ptr->zstream);
|
||||
diff --git a/pngrtran.c b/pngrtran.c
|
||||
index 425b1aa..97c64d7 100644
|
||||
--- a/pngrtran.c
|
||||
+++ b/pngrtran.c
|
||||
@@ -750,7 +750,13 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
|
||||
}
|
||||
if (png_ptr->palette == NULL)
|
||||
{
|
||||
- png_ptr->palette = palette;
|
||||
+ /* Allocate an owned copy rather than aliasing the caller's pointer,
|
||||
+ * so that png_read_destroy can free png_ptr->palette unconditionally.
|
||||
+ */
|
||||
+ png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
|
||||
+ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
|
||||
+ memcpy(png_ptr->palette, palette, (unsigned int)num_palette *
|
||||
+ (sizeof (png_color)));
|
||||
}
|
||||
png_ptr->num_palette = (png_uint_16)num_palette;
|
||||
|
||||
@@ -1978,6 +1984,21 @@ png_read_transform_info(png_structrp png_ptr, png_inforp info_ptr)
|
||||
{
|
||||
png_debug(1, "in png_read_transform_info");
|
||||
|
||||
+ if (png_ptr->transformations != 0)
|
||||
+ {
|
||||
+ if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
|
||||
+ info_ptr->palette != NULL && png_ptr->palette != NULL)
|
||||
+ {
|
||||
+ /* Sync info_ptr->palette with png_ptr->palette.
|
||||
+ * The function png_init_read_transformations may have modified
|
||||
+ * png_ptr->palette in place (e.g. for gamma correction or for
|
||||
+ * background compositing).
|
||||
+ */
|
||||
+ memcpy(info_ptr->palette, png_ptr->palette,
|
||||
+ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)));
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
#ifdef PNG_READ_EXPAND_SUPPORTED
|
||||
if ((png_ptr->transformations & PNG_EXPAND) != 0)
|
||||
{
|
||||
diff --git a/pngrutil.c b/pngrutil.c
|
||||
index d31dc21..2128b2a 100644
|
||||
--- a/pngrutil.c
|
||||
+++ b/pngrutil.c
|
||||
@@ -1905,10 +1905,6 @@ png_handle_tRNS(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
|
||||
return;
|
||||
}
|
||||
|
||||
- /* TODO: this is a horrible side effect in the palette case because the
|
||||
- * png_struct ends up with a pointer to the tRNS buffer owned by the
|
||||
- * png_info. Fix this.
|
||||
- */
|
||||
png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans,
|
||||
&(png_ptr->trans_color));
|
||||
}
|
||||
diff --git a/pngset.c b/pngset.c
|
||||
index eb1c8c7..6543ea4 100644
|
||||
--- a/pngset.c
|
||||
+++ b/pngset.c
|
||||
@@ -595,28 +595,38 @@ png_set_PLTE(png_structrp png_ptr, png_inforp info_ptr,
|
||||
png_error(png_ptr, "Invalid palette");
|
||||
}
|
||||
|
||||
- /* It may not actually be necessary to set png_ptr->palette here;
|
||||
- * we do it for backward compatibility with the way the png_handle_tRNS
|
||||
- * function used to do the allocation.
|
||||
- *
|
||||
- * 1.6.0: the above statement appears to be incorrect; something has to set
|
||||
- * the palette inside png_struct on read.
|
||||
- */
|
||||
png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
|
||||
|
||||
/* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
|
||||
* of num_palette entries, in case of an invalid PNG file or incorrect
|
||||
* call to png_set_PLTE() with too-large sample values.
|
||||
+ *
|
||||
+ * Allocate independent buffers for info_ptr and png_ptr so that the
|
||||
+ * lifetime of png_ptr->palette is decoupled from the lifetime of
|
||||
+ * info_ptr->palette. Previously, these two pointers were aliased,
|
||||
+ * which caused a use-after-free vulnerability if png_free_data freed
|
||||
+ * info_ptr->palette while png_ptr->palette was still in use by the
|
||||
+ * row transform functions (e.g. png_do_expand_palette).
|
||||
+ *
|
||||
+ * Both buffers are allocated with png_calloc to zero-fill, because
|
||||
+ * the ARM NEON palette riffle reads all 256 entries unconditionally,
|
||||
+ * regardless of num_palette.
|
||||
*/
|
||||
+ png_free(png_ptr, png_ptr->palette);
|
||||
png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
|
||||
PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
|
||||
+ info_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
|
||||
+ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
|
||||
+ png_ptr->num_palette = info_ptr->num_palette = (png_uint_16)num_palette;
|
||||
|
||||
if (num_palette > 0)
|
||||
+ {
|
||||
+ memcpy(info_ptr->palette, palette, (unsigned int)num_palette *
|
||||
+ (sizeof (png_color)));
|
||||
memcpy(png_ptr->palette, palette, (unsigned int)num_palette *
|
||||
(sizeof (png_color)));
|
||||
+ }
|
||||
|
||||
- info_ptr->palette = png_ptr->palette;
|
||||
- info_ptr->num_palette = png_ptr->num_palette = (png_uint_16)num_palette;
|
||||
info_ptr->free_me |= PNG_FREE_PLTE;
|
||||
info_ptr->valid |= PNG_INFO_PLTE;
|
||||
}
|
||||
@@ -990,26 +1000,34 @@ png_set_tRNS(png_structrp png_ptr, png_inforp info_ptr,
|
||||
|
||||
if (trans_alpha != NULL)
|
||||
{
|
||||
- /* It may not actually be necessary to set png_ptr->trans_alpha here;
|
||||
- * we do it for backward compatibility with the way the png_handle_tRNS
|
||||
- * function used to do the allocation.
|
||||
- *
|
||||
- * 1.6.0: The above statement is incorrect; png_handle_tRNS effectively
|
||||
- * relies on png_set_tRNS storing the information in png_struct
|
||||
- * (otherwise it won't be there for the code in pngrtran.c).
|
||||
- */
|
||||
-
|
||||
png_free_data(png_ptr, info_ptr, PNG_FREE_TRNS, 0);
|
||||
|
||||
if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH)
|
||||
{
|
||||
- /* Changed from num_trans to PNG_MAX_PALETTE_LENGTH in version 1.2.1 */
|
||||
+ /* Allocate info_ptr's copy of the transparency data. */
|
||||
info_ptr->trans_alpha = png_voidcast(png_bytep,
|
||||
png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
|
||||
memcpy(info_ptr->trans_alpha, trans_alpha, (size_t)num_trans);
|
||||
|
||||
+
|
||||
+ /* Allocate an independent copy for png_struct, so that the
|
||||
+ * lifetime of png_ptr->trans_alpha is decoupled from the
|
||||
+ * lifetime of info_ptr->trans_alpha. Previously these two
|
||||
+ * pointers were aliased, which caused a use-after-free if
|
||||
+ * png_free_data freed info_ptr->trans_alpha while
|
||||
+ * png_ptr->trans_alpha was still in use by the row transform
|
||||
+ * functions (e.g. png_do_expand_palette).
|
||||
+ */
|
||||
+ png_free(png_ptr, png_ptr->trans_alpha);
|
||||
+ png_ptr->trans_alpha = png_voidcast(png_bytep,
|
||||
+ png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
|
||||
+ memcpy(png_ptr->trans_alpha, trans_alpha, (size_t)num_trans);
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ png_free(png_ptr, png_ptr->trans_alpha);
|
||||
+ png_ptr->trans_alpha = NULL;
|
||||
}
|
||||
- png_ptr->trans_alpha = info_ptr->trans_alpha;
|
||||
}
|
||||
|
||||
if (trans_color != NULL)
|
||||
diff --git a/pngwrite.c b/pngwrite.c
|
||||
index 2201d3a..11bdfa0 100644
|
||||
--- a/pngwrite.c
|
||||
+++ b/pngwrite.c
|
||||
@@ -977,6 +977,10 @@ png_write_destroy(png_structrp png_ptr)
|
||||
png_ptr->chunk_list = NULL;
|
||||
#endif
|
||||
|
||||
+ /* Free the independent copy of the palette owned by png_struct. */
|
||||
+ png_free(png_ptr, png_ptr->palette);
|
||||
+ png_ptr->palette = NULL;
|
||||
+
|
||||
/* The error handling and memory handling information is left intact at this
|
||||
* point: the jmp_buf may still have to be freed. See png_destroy_png_struct
|
||||
* for how this happens.
|
||||
--
|
||||
2.1.4
|
||||
|
||||
Reference in New Issue
Block a user