[libpng16] Fix bug in pngerror.c: some long warnings were being improperly

truncated (bug introduced in libpng-1.5.3beta05).

ANNOUNCE

@@ -1,5 +1,5 @@
 
-Libpng 1.6.0beta05 - January 11, 2012
+Libpng 1.6.0beta05 - January 15, 2012
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -104,8 +104,10 @@ Version 1.6.0beta04 [December 30, 2011]
   Revised contrib/pngminus/pnm2png.c to avoid warnings when png_uint_32
     and unsigned long are of different sizes.
 
-Version 1.6.0beta05 [January 11, 2012]
+Version 1.6.0beta05 [January 15, 2012]
   Updated manual with description of the simplified API (copied from png.h)
+  Fix bug in pngerror.c: some long warnings were being improperly truncated
+    (bug introduced in libpng-1.5.3beta05).
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

CHANGES

@@ -3855,8 +3855,10 @@ Version 1.6.0beta04 [December 30, 2011]
   Revised contrib/pngminus/pnm2png.c to avoid warnings when png_uint_32
     and unsigned long are of different sizes.
 
-Version 1.6.0beta05 [January 11, 2012]
+Version 1.6.0beta05 [January 15, 2012]
   Updated manual with description of the simplified API (copied from png.h)
+  Fix bug in pngerror.c: some long warnings were being improperly truncated
+    (bug introduced in libpng-1.5.3beta05).
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

pngerror.c

@@ -286,32 +286,35 @@ png_formatted_warning(png_const_structrp png_ptr, png_warning_parameters p,
    /* The internal buffer is just 128 bytes - enough for all our messages,
     * overflow doesn't happen because this code checks!
     */
-   size_t i;
+   size_t i = 0; /* Index in the msg[] buffer: */
    char msg[128];
 
-   for (i=0; i<(sizeof msg)-1 && *message != '\0'; ++i)
+   /* Each iteration through the following loop writes at most one character
+    * to msg[i++] then returns here to validate that there is still space for
+    * the trailing '\0'.  It may (in the case of a parameter) read more than
+    * one character from message[]; it must check for '\0' and continue to the
+    * test if it finds the end of string.
+    */
+   while (i<(sizeof msg)-1 && *message != '\0')
    {
-      if (*message == '@')
+      /* '@' at end of string is now just printed (previously it was skipped);
+       * it is an error in the calling code to terminate the string with @.
+       */
+      if (p != NULL && *message == '@' && message[1] != '\0')
       {
-         int parameter = -1;
+         int parameter_char = *++message; /* Consume the '@' */
-         switch (*++message)
+         static const char valid_parameters[] = "123456789";
-         {
+         int parameter = 0;
-            case '1':
-               parameter = 0;
-               break;
 
-            case '2':
+         /* Search for the parameter digit, the index in the string is the
-               parameter = 1;
+          * parameter to use.
-               break;
+          */
+         while (valid_parameters[parameter] != parameter_char &&
+            valid_parameters[parameter] != '\0')
+            ++parameter;
 
-            case '\0':
+         /* If the parameter digit is out of range it will just get printed. */
-               continue; /* To break out of the for loop above. */
+         if (parameter < PNG_WARNING_PARAMETER_COUNT)
-
-            default:
-               break;
-         }
-
-         if (parameter >= 0 && parameter < PNG_WARNING_PARAMETER_COUNT)
          {
             /* Append this parameter */
             png_const_charp parm = p[parameter];
@@ -321,28 +324,32 @@ png_formatted_warning(png_const_structrp png_ptr, png_warning_parameters p,
              * that parm[] has been initialized, so there is no guarantee of a
              * trailing '\0':
              */
-            for (; i<(sizeof msg)-1 && parm != '\0' && parm < pend; ++i)
+            while (i<(sizeof msg)-1 && *parm != '\0' && parm < pend)
-               msg[i] = *parm++;
+               msg[i++] = *parm++;
 
+            /* Consume the parameter digit too: */
             ++message;
             continue;
          }
 
          /* else not a parameter and there is a character after the @ sign; just
-          * copy that.
+          * copy that.  This is known not to be '\0' because of the test above.
           */
       }
 
       /* At this point *message can't be '\0', even in the bad parameter case
        * above where there is a lone '@' at the end of the message string.
        */
-      msg[i] = *message++;
+      msg[i++] = *message++;
    }
 
    /* i is always less than (sizeof msg), so: */
    msg[i] = '\0';
 
-   /* And this is the formatted message: */
+   /* And this is the formatted message, it may be larger than
+    * PNG_MAX_ERROR_TEXT, but that is only used for 'chunk' errors and these are
+    * not (currently) formatted.
+    */
    png_warning(png_ptr, msg);
 }
 #endif /* PNG_WARNINGS_SUPPORTED */

pngpriv.h

@@ -1411,7 +1411,7 @@ PNG_EXTERN png_charp png_format_number(png_const_charp start, png_charp end,
 #ifdef PNG_WARNINGS_SUPPORTED
 /* New defines and members adding in libpng-1.5.4 */
 #  define PNG_WARNING_PARAMETER_SIZE 32
-#  define PNG_WARNING_PARAMETER_COUNT 8
+#  define PNG_WARNING_PARAMETER_COUNT 8 /* Maximum 9; see pngerror.c */
 
 /* An l-value of this type has to be passed to the APIs below to cache the
  * values of the parameters to a formatted warning message.