Patch in a candidate fix for ossfuzz issue 24232
- Improves handling of certain invalid PNGs by stb_image
This commit is contained in:
Benjamin A. Beasley
parent
ef095c651c
commit
e53fbc0d95
32
1230.patch
Normal file
32
1230.patch
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
From b5d9d9719b001c67ca922df547a85a0fae364997 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Neil Bickford <nbickford@nvidia.com>
|
||||||
|
Date: Fri, 15 Oct 2021 11:04:41 -0700
|
||||||
|
Subject: [PATCH] stb_image PNG: Checks for invalid DEFLATE codes.
|
||||||
|
|
||||||
|
Specifically, this rejects length codes 286 and 287, and distance codes 30 and 31.
|
||||||
|
This avoids a scenario in which a file could contain a table in which
|
||||||
|
0 corresponded to length code 287, which would result in writing 0 bits.
|
||||||
|
|
||||||
|
Signed-off-by: Neil Bickford <nbickford@nvidia.com>
|
||||||
|
---
|
||||||
|
stb_image.h | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/stb_image.h b/stb_image.h
|
||||||
|
index d60371b95..ab616c56d 100644
|
||||||
|
--- a/stb_image.h
|
||||||
|
+++ b/stb_image.h
|
||||||
|
@@ -4256,11 +4256,12 @@ static int stbi__parse_huffman_block(stbi__zbuf *a)
|
||||||
|
a->zout = zout;
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
+ if (z >= 286) return stbi__err("bad huffman code","Corrupt PNG"); // per DEFLATE, length codes 286 and 287 must not appear in compressed data
|
||||||
|
z -= 257;
|
||||||
|
len = stbi__zlength_base[z];
|
||||||
|
if (stbi__zlength_extra[z]) len += stbi__zreceive(a, stbi__zlength_extra[z]);
|
||||||
|
z = stbi__zhuffman_decode(a, &a->z_distance);
|
||||||
|
- if (z < 0) return stbi__err("bad huffman code","Corrupt PNG");
|
||||||
|
+ if (z < 0 || z >= 30) return stbi__err("bad huffman code","Corrupt PNG"); // per DEFLATE, distance codes 30 and 31 must not appear in compressed data
|
||||||
|
dist = stbi__zdist_base[z];
|
||||||
|
if (stbi__zdist_extra[z]) dist += stbi__zreceive(a, stbi__zdist_extra[z]);
|
||||||
|
if (zout - a->zout_start < dist) return stbi__err("bad dist","Corrupt PNG");
|
||||||
11
stb.spec
11
stb.spec
@ -101,10 +101,19 @@ Patch: %{url}/pull/1236.patch
|
|||||||
#
|
#
|
||||||
# ----
|
# ----
|
||||||
#
|
#
|
||||||
# Additional stb_image fixes for bugs from ossfuzz and issues 1289, 1291, 1292, and 1293
|
# Additional stb_image fixes for bugs from ossfuzz and issues 1289, 1291, 1292,
|
||||||
|
# and 1293
|
||||||
# https://github.com/nothings/stb/pull/1297
|
# https://github.com/nothings/stb/pull/1297
|
||||||
Patch: %{url}/pull/1297.patch
|
Patch: %{url}/pull/1297.patch
|
||||||
|
|
||||||
|
# stb_image PNG reader: Adds checks for invalid DEFLATE codes, fixing an
|
||||||
|
# infinite loop found by ossfuzz.
|
||||||
|
# https://github.com/nothings/stb/pull/1230
|
||||||
|
# Fixes:
|
||||||
|
# Issue 24232: stb:stb_png_read_fuzzer: Timeout in stb_png_read_fuzzer
|
||||||
|
# https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24232&q=proj%3Dstb
|
||||||
|
Patch: %{url}/pull/1230.patch
|
||||||
|
|
||||||
%global stb_c_lexer_version 0.12
|
%global stb_c_lexer_version 0.12
|
||||||
%global stb_connected_components_version 0.96
|
%global stb_connected_components_version 0.96
|
||||||
%global stb_divide_version 0.94
|
%global stb_divide_version 0.94
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user