From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 22474 invoked from network); 13 Jul 2021 12:12:00 -0000 Received: from tb-ob1.topicbox.com (64.147.108.173) by inbox.vuxu.org with ESMTPUTF8; 13 Jul 2021 12:12:00 -0000 Received: from tb-mx1.topicbox.com (tb-mx1.nyi.icgroup.com [10.90.30.61]) by tb-ob1.topicbox.com (Postfix) with ESMTP id 7CD742C6BE for ; Tue, 13 Jul 2021 08:11:59 -0400 (EDT) (envelope-from bounce.mM13a5098cf3af92b1671aa59c.r522be890-2105-11eb-b15e-8d699134e1fa@9fans.bounce.topicbox.com) Received: by tb-mx1.topicbox.com (Postfix, from userid 1132) id 796D32CD1CE5; Tue, 13 Jul 2021 08:11:59 -0400 (EDT) ARC-Authentication-Results: i=2; topicbox.com; arc=pass; dkim=none (no signatures found); dmarc=pass policy.published-domain-policy=quarantine policy.published-subdomain-policy=quarantine policy.applied-disposition=none policy.evaluated-disposition=none (p=quarantine,sp=quarantine,d=none,d.eval=none) policy.policy-from=p header.from=sdf.org; spf=pass smtp.mailfrom=adr@SDF.ORG smtp.helo=mx.sdf.org; x-internal-arc=fail (as.1.topicbox.com=pass, ams.1.topicbox.com=fail (message has been altered)) (Message modified while forwarding at Topicbox) ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d= topicbox.com; h=date:to:subject:in-reply-to:message-id :references:mime-version:content-type:from:list-help:list-id :list-post:list-subscribe:reply-to:content-transfer-encoding :list-unsubscribe; s=sysmsg-1; t=1626178319; bh=a1E4V3+e+ExnOCU+ xVTNtzYh+aShlAdRYYs1HMwxCas=; b=aLanQLJJDdfKjXPWngPfu4G0/OoKaozj w+IUSANZ4gywF6T9G+lm90z4pOe5NVc/fp9YlVVoi6NFHGsFY1zZSL8I1uP4h2kF j54IDXO50GJJrktYANV3IRf5T5SWsLCgl75FXsK+CfZt297cK2/jalDwVD034wmi P8jrmZc7LQw= ARC-Seal: i=2; a=rsa-sha256; cv=pass; d=topicbox.com; s=sysmsg-1; t= 1626178319; b=BeHYHiBsoWeYiwVZF2qEY3mKRQkJV8AOW9qEOf2dsqAG7xLfjK /KYZuY6ygvbwnvA0S2gGto8qwGCWXTtd6SH6sWBALg2DujT3uO9UpySbf+quozXt /hHr0pHkNe5ugPnMHXxQHFZ2CVruLgVE8cdcygwDsOTZA7H8rvW4yYffw= Authentication-Results: topicbox.com; arc=pass; dkim=none (no signatures found); dmarc=pass policy.published-domain-policy=quarantine policy.published-subdomain-policy=quarantine policy.applied-disposition=none policy.evaluated-disposition=none (p=quarantine,sp=quarantine,d=none,d.eval=none) policy.policy-from=p header.from=sdf.org; spf=pass smtp.mailfrom=adr@SDF.ORG smtp.helo=mx.sdf.org; x-internal-arc=fail (as.1.topicbox.com=pass, ams.1.topicbox.com=fail (message has been altered)) (Message modified while forwarding at Topicbox) X-Received-Authentication-Results: tb-mx0.topicbox.com; arc=none (no signatures found); bimi=none (No BIMI records found); dkim=none (no signatures found); dmarc=pass policy.published-domain-policy=quarantine policy.published-subdomain-policy=quarantine policy.applied-disposition=none policy.evaluated-disposition=none (p=quarantine,sp=quarantine,d=none,d.eval=none) policy.policy-from=p header.from=sdf.org; iprev=pass smtp.remote-ip=205.166.94.24 (mx.sdf.org); spf=pass smtp.mailfrom=adr@SDF.ORG smtp.helo=mx.sdf.org; x-aligned-from=pass (Address match); x-me-sender=none; x-ptr=pass smtp.helo=mx.sdf.org policy.ptr=mx.sdf.org; x-return-mx=pass header.domain=sdf.org policy.is_org=yes (MX Records found: mx.sdf.org); x-return-mx=pass smtp.domain=sdf.org policy.is_org=yes (MX Records found: mx.sdf.org); x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384 smtp.bits=256/256; x-vs=clean score=0 state=0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=9fans.net; h=date:to :subject:in-reply-to:message-id:references:mime-version :content-type:from:list-help:list-id:list-post:list-subscribe :reply-to:content-transfer-encoding:list-unsubscribe; s=dkim-1; bh=phP32Qxoi+eEIYr8Eug7XanovwNbG6q6VpBjFODTgLI=; b=kVDEXXm88Kyo vfJ9VzOvu39Gww9HUq5QIl1//NgCqYmDrIuSlWoOpuLCicsQiIu8QpX91bl2A8j5 mTU0UjC7FZ89VqN+jehcy0vRz2yEjI/pSdlNdAuRePwLPRFCzZPGCMDVazrgCVQh biTVIAHMJuQm0h2jhrdUSPF7ZyYxw+8= Received: from tb-mx0.topicbox.com (localhost.local [127.0.0.1]) by tb-mx0.topicbox.com (Postfix) with ESMTP id 6EF5E2CB810A for <9fans@9fans.net>; Tue, 13 Jul 2021 08:11:48 -0400 (EDT) (envelope-from adr@SDF.ORG) Received: from tb-mx0.topicbox.com (localhost [127.0.0.1]) by tb-mx0.topicbox.com (Authentication Milter) with ESMTP id CF28E2CA209; Tue, 13 Jul 2021 08:11:48 -0400 ARC-Seal: i=1; a=rsa-sha256; cv=none; d=topicbox.com; s=arcseal; t= 1626178308; b=ecco5R0mBIuTwXo4zlotmptfsIH2AL6mOBPyKyUvLzoaLOqWW7 CnZ8j5S0qssS9KbV596YX6+q1i966FtvDDjCv3gTQc0GbUf5IsPMKk/RVzLPn2bC DcwSVmobhCZh7uUWpfomckidSt71KhQN0vsbVwVWqWT+dWWc5twadM+/vetpRXxj Sv2biSeJMLi5hQAMz+OT2RhHF4pU8683hqDEr/H4FbxiNCDBi0/6b6qqYl1N0JAD 7MWhNQn7ACZUiVRMkt/Qhqz1Lq5RkbnCnszhuBbEQlUvltwZ99fyqlnSuVrtYPG7 CIhbwAWnHez2qZtMngnk/42Ud2fu5mCV9LTA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d= topicbox.com; h=date:from:to:subject:in-reply-to:message-id :references:mime-version:content-type; s=arcseal; t=1626178308; bh=gtOEjQhi2ZOUH0+f1EXYS4kBRMN75ATfMoN+qyMVGq8=; b=mvePVrsDzp7s LI3GAe+nxHFbLnl/Tp0m7IXcJE8iAQ3oB7eylAOLnO+/NtQBjA5G9YgUWh1EG6ye OlKOCFBIctNAa/j9SRz7qlniimABIxafWBlj4GEZl6ka+3xAxySANg9P167Yvns2 VnQ0USz6ZtnBRJQmDAuUAWalWens8WDtEDbMmwtXFL7hbAX3iywO+JVHHeIZQPK1 plDLMy57Qi2WrIKTdpdl7zYgXYnTjftBTqLEOnKN8w6QDRYse31zkM0B5NWJNTRZ Dqb9M0oY0d+pm4SGdvNSRasjIsyao2+29bGkDVNGZ2o6bLl43GnpLcdUlJphzEpo kRGCzWrW5g== ARC-Authentication-Results: i=1; tb-mx0.topicbox.com; arc=none (no signatures found); bimi=none (No BIMI records found); dkim=none (no signatures found); dmarc=pass policy.published-domain-policy=quarantine policy.published-subdomain-policy=quarantine policy.applied-disposition=none policy.evaluated-disposition=none (p=quarantine,sp=quarantine,d=none,d.eval=none) policy.policy-from=p header.from=sdf.org; iprev=pass smtp.remote-ip=205.166.94.24 (mx.sdf.org); spf=pass smtp.mailfrom=adr@SDF.ORG smtp.helo=mx.sdf.org; x-aligned-from=pass (Address match); x-me-sender=none; x-ptr=pass smtp.helo=mx.sdf.org policy.ptr=mx.sdf.org; x-return-mx=pass header.domain=sdf.org policy.is_org=yes (MX Records found: mx.sdf.org); x-return-mx=pass smtp.domain=sdf.org policy.is_org=yes (MX Records found: mx.sdf.org); x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384 smtp.bits=256/256; x-vs=clean score=0 state=0 X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgedvtddrudehgddvjeculddtuddrgeduhedrtddtmd cutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpggftfghn shhusghstghrihgsvgdpuffrtefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtne cunecujfgurhepfffhvffujgfkfhggtgesthdtredttddtvdenucfhrhhomheprggurhcu oegrughrsefufffhrdfqtffiqeenucggtffrrghtthgvrhhnpeekhedtveffheevhfdtge fhhefgveelvedujeetjedtheduvdefvdekgedtfffhffenucfkphepvddthedrudeiiedr leegrddvgedpvddthedrudeiiedrleegrdduieenucevlhhushhtvghrufhiiigvpedtne curfgrrhgrmhepihhnvghtpedvtdehrdduieeirdelgedrvdegpdhhvghlohepmhigrdhs ughfrdhorhhgpdhmrghilhhfrhhomhepoegrughrsefufffhrdfqtffiqe X-ME-VSScore: 0 X-ME-VSCategory: clean Received-SPF: pass (sdf.org: 205.166.94.24 is authorized to use 'adr@SDF.ORG' in 'mfrom' identity (mechanism 'ip4:205.166.94.0/24' matched)) receiver=tb-mx0.topicbox.com; identity=mailfrom; envelope-from="adr@SDF.ORG"; helo=mx.sdf.org; client-ip=205.166.94.24 Received: from mx.sdf.org (mx.sdf.org [205.166.94.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by tb-mx0.topicbox.com (Postfix) with ESMTPS for <9fans@9fans.net>; Tue, 13 Jul 2021 08:11:47 -0400 (EDT) (envelope-from adr@SDF.ORG) Received: from sdf.org (IDENT:adr@sdf.org [205.166.94.16]) by mx.sdf.org (8.15.2/8.14.5) with ESMTPS id 16DCBl5V021699 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits) verified NO) for <9fans@9fans.net>; Tue, 13 Jul 2021 12:11:47 GMT Received: from localhost (adr@localhost) by sdf.org (8.15.2/8.12.8/Submit) with ESMTP id 16DCBkDq008578 for <9fans@9fans.net>; Tue, 13 Jul 2021 12:11:47 GMT Date: Tue, 13 Jul 2021 12:11:46 +0000 (UTC) To: 9fans <9fans@9fans.net> Subject: Re: [9fans] pngread: alloc chunk's length In-Reply-To: Message-ID: <7244e324-cdd9-3ee4-78cf-e7adecf54282@SDF.ORG> References: <28C2E353AF3CC6A064D8A1A403C1E1C2@eigenstate.org> <1fbcd31c-c6f-7991-951-3f1daae8d895@SDF.ORG> <6c633170-ba92-52f4-5244-28fa6c7302b@SDF.ORG> <8c4d60f0-7ed1-aa10-239f-6267c75cd33a@SDF.ORG> <7c354c3b-899-26d-01e-e69abde0b322@SDF.ORG> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8"; format="flowed" Topicbox-Policy-Reasoning: allow: sender is a member Topicbox-Message-UUID: 827e524e-e3d3-11eb-8892-f8fc543430bf Archived-At: =?UTF-8?B?PGh0dHBzOi8vOWZhbnMudG9waWNib3guY29tL2dyb3Vwcy85?= =?UTF-8?B?ZmFucy9UNGE3MTRlZDE0YzUwNzY3YS1NMTNhNTA5OGNmM2FmOTJiMTY3MWFh?= =?UTF-8?B?NTljPg==?= From: "adr via 9fans" <9fans@9fans.net> List-Help: List-Id: "9fans" <9fans.9fans.net> List-Post: List-Software: Topicbox v0 List-Subscribe: Precedence: list Reply-To: 9fans <9fans@9fans.net> Content-Transfer-Encoding: quoted-printable List-Unsubscribe: , Topicbox-Delivery-ID: 2:9fans:437d30aa-c441-11e9-8a57-d036212d11b0:522be890-2105-11eb-b15e-8d699134e1fa:M13a5098cf3af92b1671aa59c:1:tvLfoif9Edk4PtxMBP-bTQ2-vhvIR6bdZCpA-Baotw0 By the way, the lenght should be checked to not exceed 0x7FFFFFFF so a corrupt chunk can be detected early. --- /n/dump/2021/0627/sys/src/cmd/jpg/readpng.c Thu Jan 24 23:39:55 2013 +++ /sys/src/cmd/jpg/readpng.c Tue Jul 13 11:16:50 2021 @@ -10,8 +10,6 @@ enum { - IDATSIZE =3D 1000000, - /* filtering algorithms */ FilterNone =3D 0, /* new[x][y] =3D buf[x][y] */ FilterSub =3D 1, /* new[x][y] =3D buf[x][y] + new[x-1][y] = */=20 @@ -51,7 +49,6 @@ struct ZlibR { Biobuf *io; /* input buffer */ - uchar *buf; /* malloc'ed staging buffer */ uchar *p; /* next byte to decompress */ uchar *e; /* end of buffer */ ZlibW *w; @@ -94,19 +91,28 @@ } static int -getchunk(Biobuf *b, char *type, uchar *d, int m) +chunklen(Biobuf *b) +{ + ulong n; + + uchar buf[4]; + + if(Bread(b, buf, 4) !=3D 4 || (n=3Dget4(buf)) > 0x7FFFFFFF) + return -1; + return n; +} + +static int +getchunk(Biobuf *b, char *type, uchar *d, int n) { - uchar buf[8]; + uchar buf[4]; ulong crc =3D 0, crc2; - int n, nr; + int nr; - if(Bread(b, buf, 8) !=3D 8) + if(Bread(b, buf, 4) !=3D 4) return -1; - n =3D get4(buf); - memmove(type, buf+4, 4); + memmove(type, buf, 4); type[4] =3D 0; - if(n > m) - sysfatal("getchunk needed %d, had %d", n, m); nr =3D Bread(b, d, n); if(nr !=3D n) sysfatal("getchunk read %d, expected %d", nr, n); @@ -117,7 +123,7 @@ crc2 =3D get4(buf); if(crc !=3D crc2) sysfatal("getchunk crc failed"); - return n; + return 0; } static int @@ -129,25 +135,31 @@ if(z->p >=3D z->e){ Again: - z->p =3D z->buf; + n =3D chunklen(z->io); + if(n < 0) + return -1; + z->p =3D pngmalloc(n, 0); z->e =3D z->p; - n =3D getchunk(z->io, type, z->p, IDATSIZE); - if(n < 0 || strcmp(type, "IEND") =3D=3D 0) + getchunk(z->io, type, z->p, n); + if(strcmp(type, "IEND") =3D=3D 0){ + free(z->p); return -1; + } z->e =3D z->p + n; if(!strcmp(type,"PLTE")){ if(n < 3 || n > 3*256 || n%3) sysfatal("invalid PLTE chunk len %d", n); memcpy(z->w->palette, z->p, n); z->w->palsize =3D 256; + free(z->p); goto Again; } - if(type[0] & PropertyBit) + if(type[0] & PropertyBit){ + free(z->p); goto Again; /* skip auxiliary chunks fornow */ - if(strcmp(type,"IDAT")){ - sysfatal("unrecognized mandatory chunk %s", type); - goto Again; } + if(strcmp(type,"IDAT")) + sysfatal("unrecognized mandatory chunk %s", type); } return *z->p++; } @@ -388,13 +400,18 @@ ZlibR zr; ZlibW zw; - buf =3D pngmalloc(IDATSIZE, 0); + buf =3D pngmalloc(sizeof PNGmagic, 0); if(Bread(b, buf, sizeof PNGmagic) !=3D sizeof PNGmagic || memcmp(PNGmagic, buf, sizeof PNGmagic) !=3D 0) sysfatal("bad PNGmagic"); + free(buf); - n =3D getchunk(b, type, buf, IDATSIZE); - if(n < 13 || strcmp(type,"IHDR") !=3D 0) + n =3D chunklen(b); + if(n < 13) + sysfatal("wrong IHDR chunk length"); + buf =3D pngmalloc(n, 0); + getchunk(b, type, buf, n); + if(strcmp(type,"IHDR") !=3D 0) sysfatal("missing IHDR chunk"); h =3D buf; dx =3D get4(h); @@ -460,7 +477,7 @@ memset(&zr, 0, sizeof zr); zr.w =3D &zw; zr.io =3D b; - zr.buf =3D buf; + free(buf); memset(&zw, 0, sizeof zw); if(useadam7) @@ -483,7 +500,6 @@ if(err) sysfatal("inflatezlib %s\n", flateerr(err)); - free(buf); free(zw.scan); free(zw.lastscan); return image; ------------------------------------------ 9fans: 9fans Permalink: https://9fans.topicbox.com/groups/9fans/T4a714ed14c50767a-M13a50= 98cf3af92b1671aa59c Delivery options: https://9fans.topicbox.com/groups/9fans/subscription