security improvements related to integral behavior #9
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
August 2, 2015 15:30
removed config.h.in~ from the libpng_autotools_files list because it was causing a false positive for missing files.
png_ptr->sig_bytes = (png_byte)((num_bytes < 0 ? 0 : num_bytes) & 0xff);
changed num_bytes argument from int to png_size_t here and in png.h
png.c line 483
info_ptr->valid &= ~PNG_INFO_tRNS;
Changed integer literals in png.h to be unsigned int literals to eliminate logical operations on signed values
png.c line 483
mask &= ~PNG_FREE_MUL;
Changed PNG_FREE_MUL to unsigned literal in png.h
png.c lines 875-877
palette[i].red = (png_byte)(v & 0xff);
palette[i].green = (png_byte)(v & 0xff);
palette[i].blue = (png_byte)(v & 0xff);
changed i and v to unsigned.
|
Forwarded to png-mng-implement@lists.sf.net for discussion. |
|
Note that in example.c, sig_read is an unsigned int. This is inconsistent with the current declaration of png_set_sig_bytes(), which takes a signed int. Changing the prototype for png_set_sig_bytes() would be ABI incompatible, but example.c should be fixed. See discussion on the png-mng-implement list. |
GerHobbelt
pushed a commit
to GerHobbelt/libpng
that referenced
this pull request
Mar 20, 2024
Update v1.6.39
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Trying to make some improvements with respect to integral behavior. So far I have primarily tacked issues regarding logical operations on signed integer values:
png.c line 37
An expression of 'essentially signed' type is being used as the operand of this bitwise operator.
png_ptr->sig_bytes = (png_byte)((num_bytes < 0 ? 0 : num_bytes) & 0xff);
changed num_bytes argument from int to png_size_t here and in png.h
png.c line 483
An expression of 'essentially signed' type is being used as the operand of this bitwise operator.
The operand is constant, 'essentially signed' and negative but will be implicitly converted to an unsigned type in this bitwise operation.
Constant: Negative value implicitly converted to an unsigned type.
Changed the following defines in png.h to be unsigned int literals:
define PNG_INFO_gAMA 0x0001U
define PNG_INFO_sBIT 0x0002U
define PNG_INFO_cHRM 0x0004U
define PNG_INFO_PLTE 0x0008U
define PNG_INFO_tRNS 0x0010U
define PNG_INFO_bKGD 0x0020U
define PNG_INFO_hIST 0x0040U
define PNG_INFO_pHYs 0x0080U
define PNG_INFO_oFFs 0x0100U
define PNG_INFO_tIME 0x0200U
define PNG_INFO_pCAL 0x0400U
define PNG_INFO_sRGB 0x0800U /* GR-P, 0.96a */
define PNG_INFO_iCCP 0x1000U /* ESR, 1.0.6 */
define PNG_INFO_sPLT 0x2000U /* ESR, 1.0.6 */
define PNG_INFO_sCAL 0x4000U /* ESR, 1.0.6 */
define PNG_INFO_IDAT 0x8000U /* ESR, 1.0.6 */
png.c line 483
An expression of 'essentially signed' type is being used as the operand of this bitwise operator.
changed PNG_FREE_MUL to unsigned in png.h
png.c lines 875-877
palette[i].red = (png_byte)(v & 0xff);
palette[i].green = (png_byte)(v & 0xff);
palette[i].blue = (png_byte)(v & 0xff);
An expression of 'essentially signed' type is being used as the operand of a bitwise operator.
changed i and v to unsigned.
not fixed yet:
for (i = 0, v = 0; i < num_palette; i++, v += color_inc)
color_inc should be unsigned, but all the assignments would need to be changed'