From 4f31b7f242ecbc765d67920b11560e24445f8496 Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Mon, 27 Feb 2017 20:17:56 -0600 Subject: [PATCH] [libpng16= Avoid potential overflow of shift operations in png_do_expand() (Aaron Boxer). --- ANNOUNCE | 5 +++-- CHANGES | 3 ++- pngrtran.c | 12 ++++++------ 3 files changed, 11 insertions(+), 9 deletions(-) diff --git a/ANNOUNCE b/ANNOUNCE index 5775242bc..af00e885c 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,4 +1,4 @@ -Libpng 1.6.29beta03 - February 22, 2017 +Libpng 1.6.29beta03 - February 28, 2017 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -39,7 +39,8 @@ Version 1.6.29beta02 [February 22, 2017] branches; the comments were correct. Added code for PowerPC VSX optimisation (Vadim Barkov). -Version 1.6.29beta03 [February 22, 2017] +Version 1.6.29beta03 [February 28, 2017] + Avoid potential overflow of shift operations in png_do_expand() (Aaron Boxer). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/CHANGES b/CHANGES index 15b581abe..de068fec9 100644 --- a/CHANGES +++ b/CHANGES @@ -5808,7 +5808,8 @@ Version 1.6.29beta02 [February 22, 2017] branches; the comments were correct. Added code for PowerPC VSX optimisation (Vadim Barkov). -Version 1.6.29beta03 [February 22, 2017] +Version 1.6.29beta03 [February 28, 2017] + Avoid potential overflow of shift operations in png_do_expand() (Aaron Boxer). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/pngrtran.c b/pngrtran.c index 0b4f4f906..3a075eccd 100644 --- a/pngrtran.c +++ b/pngrtran.c @@ -1,8 +1,8 @@ /* pngrtran.c - transforms the data in a row for PNG readers * - * Last changed in libpng 1.6.24 [August 4, 2016] - * Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson + * Last changed in libpng 1.6.29 [(PENDING RELEASE)] + * Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -4302,7 +4302,7 @@ png_do_expand_palette(png_row_infop row_info, png_bytep row, if (num_trans > 0) { sp = row + (png_size_t)row_width - 1; - dp = row + (png_size_t)(row_width << 2) - 1; + dp = row + ((png_size_t)row_width << 2) - 1; for (i = 0; i < row_width; i++) { @@ -4463,7 +4463,7 @@ png_do_expand(png_row_infop row_info, png_bytep row, { gray = gray & 0xff; sp = row + (png_size_t)row_width - 1; - dp = row + (png_size_t)(row_width << 1) - 1; + dp = row + ((png_size_t)row_width << 1) - 1; for (i = 0; i < row_width; i++) { @@ -4519,7 +4519,7 @@ png_do_expand(png_row_infop row_info, png_bytep row, png_byte green = (png_byte)(trans_color->green & 0xff); png_byte blue = (png_byte)(trans_color->blue & 0xff); sp = row + (png_size_t)row_info->rowbytes - 1; - dp = row + (png_size_t)(row_width << 2) - 1; + dp = row + ((png_size_t)row_width << 2) - 1; for (i = 0; i < row_width; i++) { if (*(sp - 2) == red && *(sp - 1) == green && *(sp) == blue) @@ -4542,7 +4542,7 @@ png_do_expand(png_row_infop row_info, png_bytep row, png_byte green_low = (png_byte)(trans_color->green & 0xff); png_byte blue_low = (png_byte)(trans_color->blue & 0xff); sp = row + row_info->rowbytes - 1; - dp = row + (png_size_t)(row_width << 3) - 1; + dp = row + ((png_size_t)row_width << 3) - 1; for (i = 0; i < row_width; i++) { if (*(sp - 5) == red_high &&