[libpng16] Changed png_inflate() and calling routines to avoid overflow

problems.  This is an intermediate check-in that solves the immediate problems
and introduces one performance improvement (avoiding a copy via png_ptr->zbuf.)
Further changes will be made to make ICC profile handling more secure.

ANNOUNCE

@@ -261,6 +261,10 @@ Version 1.6.0beta15 [March 2, 2012]
 Version 1.6.0beta16 [March 4, 2012]
   Relocated palette-index checking function from pngrutil.c to pngtrans.c
   Added palette-index checking while writing.
+  Changed png_inflate() and calling routines to avoid overflow problems.
+    This is an intermediate check-in that solves the immediate problems and
+    introduces one performance improvement (avoiding a copy via png_ptr->zbuf.)
+    Further changes will be made to make ICC profile handling more secure.
   Fixed build warnings (MSVC, GCC, GCC v3). Cygwin GCC with default options
     declares 'index' as a global, causing a warning if it is used as a local
     variable.  GCC 64-bit warns about assigning a (size_t) (unsigned 64-bit)

CHANGES

@@ -4012,6 +4012,10 @@ Version 1.6.0beta15 [March 2, 2012]
 Version 1.6.0beta16 [March 4, 2012]
   Relocated palette-index checking function from pngrutil.c to pngtrans.c
   Added palette-index checking while writing.
+  Changed png_inflate() and calling routines to avoid overflow problems.
+    This is an intermediate check-in that solves the immediate problems and
+    introduces one performance improvement (avoiding a copy via png_ptr->zbuf.)
+    Further changes will be made to make ICC profile handling more secure.
   Fixed build warnings (MSVC, GCC, GCC v3). Cygwin GCC with default options
     declares 'index' as a global, causing a warning if it is used as a local
     variable.  GCC 64-bit warns about assigning a (size_t) (unsigned 64-bit)

png.h

@@ -1,7 +1,7 @@
 
 /* png.h - header file for PNG reference library
  *
- * libpng version 1.6.0beta16 - March 3, 2012
+ * libpng version 1.6.0beta16 - March 4, 2012
  * Copyright (c) 1998-2012 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -11,7 +11,7 @@
  * Authors and maintainers:
  *   libpng versions 0.71, May 1995, through 0.88, January 1996: Guy Schalnat
  *   libpng versions 0.89c, June 1996, through 0.96, May 1997: Andreas Dilger
- *   libpng versions 0.97, January 1998, through 1.6.0beta16 - March 3, 2012: Glenn
+ *   libpng versions 0.97, January 1998, through 1.6.0beta16 - March 4, 2012: Glenn
  *   See also "Contributing Authors", below.
  *
  * Note about libpng version numbers:
@@ -198,7 +198,7 @@
  *
  * This code is released under the libpng license.
  *
- * libpng versions 1.2.6, August 15, 2004, through 1.6.0beta16, March 3, 2012, are
+ * libpng versions 1.2.6, August 15, 2004, through 1.6.0beta16, March 4, 2012, are
  * Copyright (c) 2004, 2006-2012 Glenn Randers-Pehrson, and are
  * distributed according to the same disclaimer and license as libpng-1.2.5
  * with the following individual added to the list of Contributing Authors:
@@ -310,7 +310,7 @@
  * Y2K compliance in libpng:
  * =========================
  *
- *    March 3, 2012
+ *    March 4, 2012
  *
  *    Since the PNG Development group is an ad-hoc body, we can't make
  *    an official declaration.
@@ -376,7 +376,7 @@
 /* Version information for png.h - this should match the version in png.c */
 #define PNG_LIBPNG_VER_STRING "1.6.0beta16"
 #define PNG_HEADER_VERSION_STRING \
-     " libpng version 1.6.0beta16 - March 3, 2012\n"
+     " libpng version 1.6.0beta16 - March 4, 2012\n"
 
 #define PNG_LIBPNG_VER_SONUM   16
 #define PNG_LIBPNG_VER_DLLNUM  16

pngpriv.h

@@ -822,14 +822,7 @@ PNG_INTERNAL_FUNCTION(void,png_read_data,(png_structrp png_ptr, png_bytep data,
 
 /* Read bytes into buf, and update png_ptr->crc */
 PNG_INTERNAL_FUNCTION(void,png_crc_read,(png_structrp png_ptr, png_bytep buf,
-    png_size_t length),PNG_EMPTY);
-
-/* Decompress data in a chunk that uses compression */
-#if defined(PNG_READ_COMPRESSED_TEXT_SUPPORTED)
-PNG_INTERNAL_FUNCTION(void,png_decompress_chunk,(png_structrp png_ptr,
-   int comp_type, png_size_t chunklength, png_size_t prefix_length,
-   png_size_t *data_length),PNG_EMPTY);
-#endif
+    png_uint_32 length),PNG_EMPTY);
 
 /* Read "skip" bytes, read the file crc, and (optionally) verify png_ptr->crc */
 PNG_INTERNAL_FUNCTION(int,png_crc_finish,(png_structrp png_ptr,

pngread.c

@@ -491,8 +491,7 @@ png_read_row(png_structrp png_ptr, png_bytep row, png_bytep dsp_row)
          png_ptr->zstream.next_in = png_ptr->zbuf;
          if (png_ptr->zbuf_size > png_ptr->idat_size)
             png_ptr->zstream.avail_in = (uInt)png_ptr->idat_size;
-         png_crc_read(png_ptr, png_ptr->zbuf,
-             (png_size_t)png_ptr->zstream.avail_in);
+         png_crc_read(png_ptr, png_ptr->zbuf, png_ptr->zstream.avail_in);
          png_ptr->idat_size -= png_ptr->zstream.avail_in;
       }