From 6530e3898d8282f3f13c37f4ebae7193d8e52b07 Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Mon, 17 Aug 2015 21:56:03 -0500 Subject: [PATCH] [libpng16] Restored previous handling of negative input to png_set_sig_bytes(). --- libpng-manual.txt | 4 ---- libpng.3 | 4 ---- png.c | 3 +++ 3 files changed, 3 insertions(+), 8 deletions(-) diff --git a/libpng-manual.txt b/libpng-manual.txt index 1acb70f92..b1fffdd0f 100644 --- a/libpng-manual.txt +++ b/libpng-manual.txt @@ -5140,10 +5140,6 @@ It can be set for testing debug or beta builds to ensure that they will compile when the build type is switched to RC or STABLE. In essence this overrides the PNG_LIBPNG_BUILD_BASE_TYPE definition which is not directly user controllable. -Starting with libpng-1.6.19, it is an error to call png_set_sig_bytes() -with a negative number. Previously, a negative value was silently converted -to zero. - XIII. Detecting libpng The png_get_io_ptr() function has been present since libpng-0.88, has never diff --git a/libpng.3 b/libpng.3 index af68c5984..2e2f12622 100644 --- a/libpng.3 +++ b/libpng.3 @@ -5648,10 +5648,6 @@ It can be set for testing debug or beta builds to ensure that they will compile when the build type is switched to RC or STABLE. In essence this overrides the PNG_LIBPNG_BUILD_BASE_TYPE definition which is not directly user controllable. -Starting with libpng-1.6.19, it is an error to call png_set_sig_bytes() -with a negative number. Previously, a negative value was silently converted -to zero. - .SH XIII. Detecting libpng The png_get_io_ptr() function has been present since libpng-0.88, has never diff --git a/png.c b/png.c index c57b071a9..541727760 100644 --- a/png.c +++ b/png.c @@ -33,6 +33,9 @@ png_set_sig_bytes(png_structrp png_ptr, int num_bytes) if (png_ptr == NULL) return; + if (num_bytes < 0) + nb = 0; + if (nb > 8) png_error(png_ptr, "Too many bytes for PNG signature");