Giter VIP home page Giter VIP logo

Comments (6)

jbowler avatar jbowler commented on September 26, 2024

png_read_info succeeds, even though there is no IDAT chunk, and then png_read_row ends up in an infinite loop reading faked 0-length IDAT chunks. pngfix should be issuing a png_error when the read fails before the first IDAT.

from libpng.

jbowler avatar jbowler commented on September 26, 2024

Wrong: I believed pngcheck (well, OK, I didn't pass '-f' and apparently it aborts the read on a CRC error). There are IDAT chunks. In hangs/1.hangs:

Signature
IHDR (1x1 PNG)
bKGD (valid)
pHYS (valid, but with a bad CRC)
IDAT (length 0, bad CRC)
IDAT (length 131072, truncated)

The truncated IDAT does actually contain something that sort-of looks like IEND, but basically it is truncated.

I think the problem is that pngfix isn't handling a zero-length IDAT; it goes into an infinite loop. I thought this had been fixed, but maybe the fixes were only in libpng.

from libpng.

jbowler avatar jbowler commented on September 26, 2024

The error occurs in the writing of the IDAT chunks. An easy work-round is to give the '--max' option, then the writing re-chunks the input IDATs and the zero length one doesn't cause a problem. This works for all the examples (well, it 'fixes' the IDAT stream; there are other errors which pngfix doesn't fix and isn't intended to fix.)

from libpng.

jbowler avatar jbowler commented on September 26, 2024

The code in rechunk_length is using idat_index == 0 for two different thing; indicating the first call to rechunk_length and indicating the end of a 0 length IDAT. This does not work of course. I've changed it to take the appropriate extra parameter and this seems to fix the problem. Unfortunately at the moment my ISP is down, so it may be a while before I can send the patch. It's trivial but definitely needs pre-rc review/test.

from libpng.

jbowler avatar jbowler commented on September 26, 2024

The following patch fixes all the hangs:

f0b453b

Please test; the logic of handling the rewrite of the PNG stream has changed very slightly but this may be enough to introduce more bugs. (It looks totally safe, but then this kind of change always does.) BTW I am pretty sure that the bug triggers on any PNG with a zero length IDAT anywhere; the pngfix code can't get beyond the first such chunk.

from libpng.

glennrp avatar glennrp commented on September 26, 2024

Pushed to the libpng16 and libpng17 branches of glennrp/libpng.

from libpng.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.