[libpng16] Check for invalid palette index while reading paletted PNG. When

one is found, issue a warning and increase png_ptr->num_palette accordingly.
Apps are responsible for checking to see if that happened.

ANNOUNCE

@@ -1,5 +1,5 @@
 
-Libpng 1.6.0beta11 - February 13, 2012
+Libpng 1.6.0beta11 - February 17, 2012
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -176,7 +176,7 @@ Version 1.6.0beta10 [February 3, 2012]
   Updated the prebuilt configure files to current condition.
   Revised INSTALL information about autogen.sh; it works in tar distributions.
 
-Version 1.6.0beta11 [February 13, 2012]
+Version 1.6.0beta11 [February 17, 2012]
   Fix character count in pngstest command in projects/owatcom/pngstest.tgt
   Revised test-pngstest.sh to report PASS/FAIL for each image.
   Updated documentation about the simplified API.
@@ -207,6 +207,9 @@ Version 1.6.0beta11 [February 13, 2012]
     produces warnings from gcc with some warning options (including -Wall). The
     fix is to cause png.h to declare the functions with PNG_INTERNAL_FUNCTION
     when png.h is included from pngpriv.h.
+  Check for invalid palette index while reading paletted PNG.  When one is
+    found, issue a warning and increase png_ptr->num_palette accordingly.
+    Apps are responsible for checking to see if that happened.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

CHANGES

@@ -3927,7 +3927,7 @@ Version 1.6.0beta10 [February 3, 2012]
   Updated the prebuilt configure files to current condition.
   Revised INSTALL information about autogen.sh; it works in tar distributions.
 
-Version 1.6.0beta11 [February 13, 2012]
+Version 1.6.0beta11 [February 17, 2012]
   Fix character count in pngstest command in projects/owatcom/pngstest.tgt
   Revised test-pngstest.sh to report PASS/FAIL for each image.
   Updated documentation about the simplified API.
@@ -3958,6 +3958,9 @@ Version 1.6.0beta11 [February 13, 2012]
     produces warnings from gcc with some warning options (including -Wall). The
     fix is to cause png.h to declare the functions with PNG_INTERNAL_FUNCTION
     when png.h is included from pngpriv.h.
+  Check for invalid palette index while reading paletted PNG.  When one is
+    found, issue a warning and increase png_ptr->num_palette accordingly.
+    Apps are responsible for checking to see if that happened.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

pngread.c

@@ -523,6 +523,27 @@ png_read_row(png_structrp png_ptr, png_bytep row, png_bytep dsp_row)
          png_error(png_ptr, "bad adaptive filter value");
    }
 
+   if ((png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) &&
+      (png_ptr->num_palette < (1 << png_ptr->bit_depth)))
+   {
+      if ((png_ptr->interlaced && png_ptr->pass == 6) ||
+          (!png_ptr->interlaced && png_ptr->pass == 0))
+      {
+         png_uint_32 i;
+         png_bytep rp = png_ptr->row_buf+1;
+
+         for (i = 0; i <= row_info.rowbytes; i++)
+         {
+            if (*rp >= png_ptr->num_palette)
+            {
+               png_warning(png_ptr,"Found invalid palette index");
+               png_ptr->num_palette=*rp;
+            }
+            rp++;
+         }
+      }
+   }
+
    /* libpng 1.5.6: the following line was copying png_ptr->rowbytes before
     * 1.5.6, while the buffer really is this big in current versions of libpng
     * it may not be in the future, so this was changed just to copy the
@@ -585,6 +606,7 @@ png_read_row(png_structrp png_ptr, png_bytep row, png_bytep dsp_row)
 
    if (png_ptr->read_row_fn != NULL)
       (*(png_ptr->read_row_fn))(png_ptr, png_ptr->row_number, png_ptr->pass);
+
 }
 #endif /* PNG_SEQUENTIAL_READ_SUPPORTED */