diff --git a/ANNOUNCE b/ANNOUNCE index 8d0699302..72860edf2 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,5 +1,5 @@ -Libpng 1.4.8beta05 - June 8, 2011 +Libpng 1.4.8beta05 - June 18, 2011 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -44,10 +44,13 @@ version 1.4.8beta02 [June 5, 2011] version 1.4.8beta03 [June 6, 2011] Check for integer overflow in png_set_rgb_to_gray(). -version 1.4.8beta04 [June 8, 2011] +version 1.4.8beta04 [June 7, 2011] Fixed uninitialized memory read in png_format_buffer() (Bug report by Frank Busse, related to CVE-2004-0421). +version 1.4.8beta05 [June 18, 2011] + Fixed error in "ACCURATE" 16-to-8 scaling. + Send comments/corrections/commendations to glennrp at users.sourceforge.net or to png-mng-implement at lists.sf.net (subscription required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement). diff --git a/CHANGES b/CHANGES index 5a6120d2f..b180e60aa 100644 --- a/CHANGES +++ b/CHANGES @@ -2812,10 +2812,13 @@ version 1.4.8beta02 [June 5, 2011] version 1.4.8beta03 [June 6, 2011] Check for integer overflow in png_set_rgb_to_gray(). -version 1.4.8beta04 [June 8, 2011] +version 1.4.8beta04 [June 7, 2011] Fixed uninitialized memory read in png_format_buffer() (Bug report by Frank Busse, related to CVE-2004-0421). +version 1.4.8beta05 [June 18, 2011] + Fixed error in "ACCURATE" 16-to-8 scaling. + Send comments/corrections/commendations to glennrp at users.sourceforge.net or to png-mng-implement at lists.sf.net (subscription required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement). diff --git a/pngrtran.c b/pngrtran.c index 0a3874718..79a7cd6b3 100644 --- a/pngrtran.c +++ b/pngrtran.c @@ -1,7 +1,7 @@ /* pngrtran.c - transforms the data in a row for PNG readers * - * Last changed in libpng 1.4.8 [June 8, 2011] + * Last changed in libpng 1.4.8 [June 18, 2011] * Copyright (c) 1998-2011 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) @@ -1799,32 +1799,18 @@ png_do_chop(png_row_infop row_info, png_bytep row) for (i = 0; i> 8)) >> 8; - * - * Approximate calculation with shift/add instead of multiply/divide: - * *dp = ((((png_uint_32)(*sp) << 8) | - * (png_uint_32)((int)(*(sp + 1)) - *sp)) + 128) >> 8; - * - * What we actually do to avoid extra shifting and conversion: - */ - - *dp = *sp + ((((int)(*(sp + 1)) - *sp) > 128) ? 1 : 0); + /* This does a more accurate scaling of the 16-bit color + * value, rather than a simple low-byte truncation. + * + * Prior to libpng-1.4.8 and 1.5.4, the calculation here was + * incorrect, so if you used ACCURATE_SCALE you will now see + * a slightly different result. In libpng-1.5.4 and + * later you will need to use the new png_set_scale_16_to_8() + * API to obtain accurate 16-to-8 scaling. + */ + png_int_32 tmp = *sp++; /* must be signed! */ + tmp += (((int)*sp++ - tmp + 128) * 65535) >> 24; + *dp++ = (png_byte)tmp; #else /* Simply discard the low order byte */ *dp = *sp;