Bug 1288588 - Exit on bad CRC in fcTL or fdAT chunk in an APNG file. …

…r=jrmuizel
Brli · Aug 13, 2016 · 2e4464d · 2e4464d
1 parent e8ba314
commit 2e4464d
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 4 deletions.
diff --git a/image/decoders/nsPNGDecoder.cpp b/image/decoders/nsPNGDecoder.cpp
@@ -973,6 +973,14 @@ nsPNGDecoder::frame_info_callback(png_structp png_ptr, png_uint_32 frame_num)
                           png_get_next_frame_width(png_ptr, decoder->mInfo),
                           png_get_next_frame_height(png_ptr, decoder->mInfo));
 
+#ifndef PNGLCONF_H
+  // if using system library, check frame_width and height against 0
+  if (frameRect.width == 0)
+    png_error(png_ptr, "Frame width must not be 0");
+  if (frameRect.height == 0)
+    png_error(png_ptr, "Frame height must not be 0");
+#endif
+
   const bool isInterlaced = bool(decoder->interlacebuf);
 
   decoder->mNextFrameInfo = Some(FrameInfo{ decoder->format,

diff --git a/media/libpng/apng.patch b/media/libpng/apng.patch
@@ -1045,9 +1045,9 @@ Index: pngset.c
 +    png_byte dispose_op, png_byte blend_op)
 +{
 +    if (width == 0 || width > PNG_UINT_31_MAX)
-+        png_error(png_ptr, "invalid width in fcTL (> 2^31-1)");
++        png_error(png_ptr, "invalid width in fcTL (0 or > 2^31-1)");
 +    if (height == 0 || height > PNG_UINT_31_MAX)
-+        png_error(png_ptr, "invalid height in fcTL (> 2^31-1)");
++        png_error(png_ptr, "invalid height in fcTL (0 or > 2^31-1)");
 +    if (x_offset > PNG_UINT_31_MAX)
 +        png_error(png_ptr, "invalid x_offset in fcTL (> 2^31-1)");
 +    if (y_offset > PNG_UINT_31_MAX)

diff --git a/media/libpng/pnglibconf.h b/media/libpng/pnglibconf.h
@@ -5,6 +5,8 @@
 #ifndef PNGLCONF_H
 #define PNGLCONF_H
 
+#define MOZ_EMBEDDED_LIBPNG
+
 /* Limit image dimensions (bug #251381, #591822, #967656, and #1283961) */
 #ifndef MOZ_PNG_MAX_WIDTH
 #  define MOZ_PNG_MAX_WIDTH 0x7fffffffL /* Unlimited */

diff --git a/media/libpng/pngset.c b/media/libpng/pngset.c
@@ -1196,9 +1196,9 @@ png_ensure_fcTL_is_valid(png_structp png_ptr,
     png_byte dispose_op, png_byte blend_op)
 {
     if (width == 0 || width > PNG_UINT_31_MAX)
-        png_error(png_ptr, "invalid width in fcTL (> 2^31-1)");
+        png_error(png_ptr, "invalid width in fcTL (0 or > 2^31-1)");
     if (height == 0 || height > PNG_UINT_31_MAX)
-        png_error(png_ptr, "invalid height in fcTL (> 2^31-1)");
+        png_error(png_ptr, "invalid height in fcTL (0 or > 2^31-1)");
     if (x_offset > PNG_UINT_31_MAX)
         png_error(png_ptr, "invalid x_offset in fcTL (> 2^31-1)");
     if (y_offset > PNG_UINT_31_MAX)