new: 新建文件 CVE-2026-33416.patch

Signed-off-by: gcw_5Q40SBlf <guokuan1@h-partners.com>
This commit is contained in:
gcw_5Q40SBlf
2026-04-01 16:08:14 +08:00
parent c667c32439
commit b754b0a7bb
+208
View File
@@ -0,0 +1,208 @@
diff --git a/pngread.c b/pngread.c
index 948dc9a..691aced 100644
--- a/pngread.c
+++ b/pngread.c
@@ -963,21 +963,19 @@ png_read_destroy(png_structrp png_ptr)
png_ptr->quantize_index = NULL;
#endif
- if ((png_ptr->free_me & PNG_FREE_PLTE) != 0)
- {
- png_zfree(png_ptr, png_ptr->palette);
- png_ptr->palette = NULL;
- }
- png_ptr->free_me &= ~PNG_FREE_PLTE;
+ /* png_ptr->palette is always independently allocated (not aliased
+ * with info_ptr->palette), so free it unconditionally.
+ */
+ png_free(png_ptr, png_ptr->palette);
+ png_ptr->palette = NULL;
#if defined(PNG_tRNS_SUPPORTED) || \
defined(PNG_READ_EXPAND_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED)
- if ((png_ptr->free_me & PNG_FREE_TRNS) != 0)
- {
- png_free(png_ptr, png_ptr->trans_alpha);
- png_ptr->trans_alpha = NULL;
- }
- png_ptr->free_me &= ~PNG_FREE_TRNS;
+ /* png_ptr->trans_alpha is always independently allocated (not aliased
+ * with info_ptr->trans_alpha), so free it unconditionally.
+ */
+ png_free(png_ptr, png_ptr->trans_alpha);
+ png_ptr->trans_alpha = NULL;
#endif
inflateEnd(&png_ptr->zstream);
diff --git a/pngrtran.c b/pngrtran.c
index 425b1aa..97c64d7 100644
--- a/pngrtran.c
+++ b/pngrtran.c
@@ -750,7 +750,13 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
}
if (png_ptr->palette == NULL)
{
- png_ptr->palette = palette;
+ /* Allocate an owned copy rather than aliasing the caller's pointer,
+ * so that png_read_destroy can free png_ptr->palette unconditionally.
+ */
+ png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
+ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
+ memcpy(png_ptr->palette, palette, (unsigned int)num_palette *
+ (sizeof (png_color)));
}
png_ptr->num_palette = (png_uint_16)num_palette;
@@ -1978,6 +1984,21 @@ png_read_transform_info(png_structrp png_ptr, png_inforp info_ptr)
{
png_debug(1, "in png_read_transform_info");
+ if (png_ptr->transformations != 0)
+ {
+ if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
+ info_ptr->palette != NULL && png_ptr->palette != NULL)
+ {
+ /* Sync info_ptr->palette with png_ptr->palette.
+ * The function png_init_read_transformations may have modified
+ * png_ptr->palette in place (e.g. for gamma correction or for
+ * background compositing).
+ */
+ memcpy(info_ptr->palette, png_ptr->palette,
+ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)));
+ }
+ }
+
#ifdef PNG_READ_EXPAND_SUPPORTED
if ((png_ptr->transformations & PNG_EXPAND) != 0)
{
diff --git a/pngrutil.c b/pngrutil.c
index d31dc21..2128b2a 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -1905,10 +1905,6 @@ png_handle_tRNS(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
return;
}
- /* TODO: this is a horrible side effect in the palette case because the
- * png_struct ends up with a pointer to the tRNS buffer owned by the
- * png_info. Fix this.
- */
png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans,
&(png_ptr->trans_color));
}
diff --git a/pngset.c b/pngset.c
index eb1c8c7..6543ea4 100644
--- a/pngset.c
+++ b/pngset.c
@@ -595,28 +595,38 @@ png_set_PLTE(png_structrp png_ptr, png_inforp info_ptr,
png_error(png_ptr, "Invalid palette");
}
- /* It may not actually be necessary to set png_ptr->palette here;
- * we do it for backward compatibility with the way the png_handle_tRNS
- * function used to do the allocation.
- *
- * 1.6.0: the above statement appears to be incorrect; something has to set
- * the palette inside png_struct on read.
- */
png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
/* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
* of num_palette entries, in case of an invalid PNG file or incorrect
* call to png_set_PLTE() with too-large sample values.
+ *
+ * Allocate independent buffers for info_ptr and png_ptr so that the
+ * lifetime of png_ptr->palette is decoupled from the lifetime of
+ * info_ptr->palette. Previously, these two pointers were aliased,
+ * which caused a use-after-free vulnerability if png_free_data freed
+ * info_ptr->palette while png_ptr->palette was still in use by the
+ * row transform functions (e.g. png_do_expand_palette).
+ *
+ * Both buffers are allocated with png_calloc to zero-fill, because
+ * the ARM NEON palette riffle reads all 256 entries unconditionally,
+ * regardless of num_palette.
*/
+ png_free(png_ptr, png_ptr->palette);
png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
+ info_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
+ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
+ png_ptr->num_palette = info_ptr->num_palette = (png_uint_16)num_palette;
if (num_palette > 0)
+ {
+ memcpy(info_ptr->palette, palette, (unsigned int)num_palette *
+ (sizeof (png_color)));
memcpy(png_ptr->palette, palette, (unsigned int)num_palette *
(sizeof (png_color)));
+ }
- info_ptr->palette = png_ptr->palette;
- info_ptr->num_palette = png_ptr->num_palette = (png_uint_16)num_palette;
info_ptr->free_me |= PNG_FREE_PLTE;
info_ptr->valid |= PNG_INFO_PLTE;
}
@@ -990,26 +1000,34 @@ png_set_tRNS(png_structrp png_ptr, png_inforp info_ptr,
if (trans_alpha != NULL)
{
- /* It may not actually be necessary to set png_ptr->trans_alpha here;
- * we do it for backward compatibility with the way the png_handle_tRNS
- * function used to do the allocation.
- *
- * 1.6.0: The above statement is incorrect; png_handle_tRNS effectively
- * relies on png_set_tRNS storing the information in png_struct
- * (otherwise it won't be there for the code in pngrtran.c).
- */
-
png_free_data(png_ptr, info_ptr, PNG_FREE_TRNS, 0);
if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH)
{
- /* Changed from num_trans to PNG_MAX_PALETTE_LENGTH in version 1.2.1 */
+ /* Allocate info_ptr's copy of the transparency data. */
info_ptr->trans_alpha = png_voidcast(png_bytep,
png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
memcpy(info_ptr->trans_alpha, trans_alpha, (size_t)num_trans);
+
+ /* Allocate an independent copy for png_struct, so that the
+ * lifetime of png_ptr->trans_alpha is decoupled from the
+ * lifetime of info_ptr->trans_alpha. Previously these two
+ * pointers were aliased, which caused a use-after-free if
+ * png_free_data freed info_ptr->trans_alpha while
+ * png_ptr->trans_alpha was still in use by the row transform
+ * functions (e.g. png_do_expand_palette).
+ */
+ png_free(png_ptr, png_ptr->trans_alpha);
+ png_ptr->trans_alpha = png_voidcast(png_bytep,
+ png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
+ memcpy(png_ptr->trans_alpha, trans_alpha, (size_t)num_trans);
+ }
+ else
+ {
+ png_free(png_ptr, png_ptr->trans_alpha);
+ png_ptr->trans_alpha = NULL;
}
- png_ptr->trans_alpha = info_ptr->trans_alpha;
}
if (trans_color != NULL)
diff --git a/pngwrite.c b/pngwrite.c
index 2201d3a..11bdfa0 100644
--- a/pngwrite.c
+++ b/pngwrite.c
@@ -977,6 +977,10 @@ png_write_destroy(png_structrp png_ptr)
png_ptr->chunk_list = NULL;
#endif
+ /* Free the independent copy of the palette owned by png_struct. */
+ png_free(png_ptr, png_ptr->palette);
+ png_ptr->palette = NULL;
+
/* The error handling and memory handling information is left intact at this
* point: the jmp_buf may still have to be freed. See png_destroy_png_struct
* for how this happens.
--
2.1.4