From 81f44665cce4cb1373f049a76f3904e981b7a766 Mon Sep 17 00:00:00 2001
From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
Date: Thu, 29 Oct 2015 09:26:41 -0500
Subject: [PATCH] [libpng16] Reject attempt to write over-length PLTE chunk

---
 libpng-manual.txt | 5 +++++
 libpng.3          | 5 +++++
 pngwrite.c        | 4 ++--
 pngwutil.c        | 7 +++++--
 4 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/libpng-manual.txt b/libpng-manual.txt
index afdf291f0..921463c09 100644
--- a/libpng-manual.txt
+++ b/libpng-manual.txt
@@ -5142,6 +5142,11 @@ It can be set for testing debug or beta builds to ensure that they will compile
 when the build type is switched to RC or STABLE. In essence this overrides the
 PNG_LIBPNG_BUILD_BASE_TYPE definition which is not directly user controllable.
 
+Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
+is an error. Previously this requirement of the PNG specification was not
+enforced. Libpng continues to accept over-length PLTE chunks when reading,
+but does not make any use of the extra entries.
+
 XIII.  Detecting libpng
 
 The png_get_io_ptr() function has been present since libpng-0.88, has never
diff --git a/libpng.3 b/libpng.3
index 7491f064a..75f7b68b7 100644
--- a/libpng.3
+++ b/libpng.3
@@ -5650,6 +5650,11 @@ It can be set for testing debug or beta builds to ensure that they will compile
 when the build type is switched to RC or STABLE. In essence this overrides the
 PNG_LIBPNG_BUILD_BASE_TYPE definition which is not directly user controllable.
 
+Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
+is an error. Previously this requirement of the PNG specification was not
+enforced. Libpng continues to accept over-length PLTE chunks when reading,
+but does not make any use of the extra entries.
+
 .SH XIII.  Detecting libpng
 
 The png_get_io_ptr() function has been present since libpng-0.88, has never
diff --git a/pngwrite.c b/pngwrite.c
index 2da3f01f3..dd3f9b6c1 100644
--- a/pngwrite.c
+++ b/pngwrite.c
@@ -1,7 +1,7 @@
 
 /* pngwrite.c - general routines to write a PNG file
  *
- * Last changed in libpng 1.6.18 [July 23, 2015]
+ * Last changed in libpng 1.6.19 [(PENDING RELEASE)]
  * Copyright (c) 1998-2015 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -206,7 +206,7 @@ png_write_info(png_structrp png_ptr, png_const_inforp info_ptr)
       png_write_PLTE(png_ptr, info_ptr->palette,
           (png_uint_32)info_ptr->num_palette);
 
-   else if ((info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) !=0)
+   else if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
       png_error(png_ptr, "Valid palette required for paletted images");
 
 #ifdef PNG_WRITE_tRNS_SUPPORTED
diff --git a/pngwutil.c b/pngwutil.c
index 957527584..71923298f 100644
--- a/pngwutil.c
+++ b/pngwutil.c
@@ -922,17 +922,20 @@ void /* PRIVATE */
 png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
     png_uint_32 num_pal)
 {
-   png_uint_32 i;
+   png_uint_32 max_num_pal, i;
    png_const_colorp pal_ptr;
    png_byte buf[3];
 
    png_debug(1, "in png_write_PLTE");
 
+   max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+      (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+
    if ((
 #ifdef PNG_MNG_FEATURES_SUPPORTED
        (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 &&
 #endif
-       num_pal == 0) || num_pal > 256)
+       num_pal == 0) || num_pal > max_num_pal)
    {
       if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
       {