[libpng16] If benign errors are disabled use maximum window on ancillary
inflate. This works round a bug introduced in 1.5.4 where compressed ancillary chunks could end up with a too-small windowBits value in the deflate header.
This commit is contained in:
John Bowler
Glenn Randers-Pehrson
parent
1ffbe8c7c1
commit
9066919600
8
ANNOUNCE
8
ANNOUNCE
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
Libpng 1.6.0beta17 - March 9, 2012
|
Libpng 1.6.0beta17 - March 10, 2012
|
||||||
|
|
||||||
This is not intended to be a public release. It will be replaced
|
This is not intended to be a public release. It will be replaced
|
||||||
within a few weeks by a public version or by another test version.
|
within a few weeks by a public version or by another test version.
|
||||||
@ -286,13 +286,17 @@ Version 1.6.0beta16 [March 6, 2012]
|
|||||||
If the call to deflateInit2() is wrong a png_warning will be issued
|
If the call to deflateInit2() is wrong a png_warning will be issued
|
||||||
(in fact this is harmless, but the PNG data produced may be sub-optimal).
|
(in fact this is harmless, but the PNG data produced may be sub-optimal).
|
||||||
|
|
||||||
Version 1.6.0beta17 [March 9, 2012]
|
Version 1.6.0beta17 [March 10, 2012]
|
||||||
Fixed PNG_LIBPNG_BUILD_BASE_TYPE definition.
|
Fixed PNG_LIBPNG_BUILD_BASE_TYPE definition.
|
||||||
Reject all iCCP chunks after the first, even if the first one is invalid.
|
Reject all iCCP chunks after the first, even if the first one is invalid.
|
||||||
Deflate/inflate was reworked to move common zlib calls into single
|
Deflate/inflate was reworked to move common zlib calls into single
|
||||||
functions [rw]util.c. A new shared keyword check routine was also added
|
functions [rw]util.c. A new shared keyword check routine was also added
|
||||||
and the 'zbuf' is no longer allocated on progressive read. It is now
|
and the 'zbuf' is no longer allocated on progressive read. It is now
|
||||||
possible to call png_inflate() incrementally.
|
possible to call png_inflate() incrementally.
|
||||||
|
If benign errors are disabled use maximum window on ancilliary inflate.
|
||||||
|
This works round a bug introduced in 1.5.4 where compressed ancillary
|
||||||
|
chunks could end up with a too-small windowBits value in the deflate
|
||||||
|
header.
|
||||||
|
|
||||||
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
|
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
|
||||||
(subscription required; visit
|
(subscription required; visit
|
||||||
|
|||||||
6
CHANGES
6
CHANGES
@ -4037,13 +4037,17 @@ Version 1.6.0beta16 [March 6, 2012]
|
|||||||
If the call to deflateInit2() is wrong a png_warning will be issued
|
If the call to deflateInit2() is wrong a png_warning will be issued
|
||||||
(in fact this is harmless, but the PNG data produced may be sub-optimal).
|
(in fact this is harmless, but the PNG data produced may be sub-optimal).
|
||||||
|
|
||||||
Version 1.6.0beta17 [March 9, 2012]
|
Version 1.6.0beta17 [March 10, 2012]
|
||||||
Fixed PNG_LIBPNG_BUILD_BASE_TYPE definition.
|
Fixed PNG_LIBPNG_BUILD_BASE_TYPE definition.
|
||||||
Reject all iCCP chunks after the first, even if the first one is invalid.
|
Reject all iCCP chunks after the first, even if the first one is invalid.
|
||||||
Deflate/inflate was reworked to move common zlib calls into single
|
Deflate/inflate was reworked to move common zlib calls into single
|
||||||
functions [rw]util.c. A new shared keyword check routine was also added
|
functions [rw]util.c. A new shared keyword check routine was also added
|
||||||
and the 'zbuf' is no longer allocated on progressive read. It is now
|
and the 'zbuf' is no longer allocated on progressive read. It is now
|
||||||
possible to call png_inflate() incrementally.
|
possible to call png_inflate() incrementally.
|
||||||
|
If benign errors are disabled use maximum window on ancilliary inflate.
|
||||||
|
This works round a bug introduced in 1.5.4 where compressed ancillary
|
||||||
|
chunks could end up with a too-small windowBits value in the deflate
|
||||||
|
header.
|
||||||
|
|
||||||
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
|
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
|
||||||
(subscription required; visit
|
(subscription required; visit
|
||||||
|
|||||||
42
pngrutil.c
42
pngrutil.c
@ -326,7 +326,7 @@ png_read_buffer(png_structrp png_ptr, png_alloc_size_t new_size, int warn)
|
|||||||
* chunk apparently owns the stream. Prior to release it does a png_error.
|
* chunk apparently owns the stream. Prior to release it does a png_error.
|
||||||
*/
|
*/
|
||||||
static int
|
static int
|
||||||
png_inflate_claim(png_structrp png_ptr, png_uint_32 owner)
|
png_inflate_claim(png_structrp png_ptr, png_uint_32 owner, int window_bits)
|
||||||
{
|
{
|
||||||
if (png_ptr->zowner != 0)
|
if (png_ptr->zowner != 0)
|
||||||
{
|
{
|
||||||
@ -373,9 +373,10 @@ png_inflate_claim(png_structrp png_ptr, png_uint_32 owner)
|
|||||||
if (png_ptr->flags & PNG_FLAG_ZSTREAM_INITIALIZED)
|
if (png_ptr->flags & PNG_FLAG_ZSTREAM_INITIALIZED)
|
||||||
{
|
{
|
||||||
# if ZLIB_VERNUM < 0x1240
|
# if ZLIB_VERNUM < 0x1240
|
||||||
|
PNG_UNUSED(window_bits)
|
||||||
ret = inflateReset(&png_ptr->zstream);
|
ret = inflateReset(&png_ptr->zstream);
|
||||||
# else
|
# else
|
||||||
ret = inflateReset2(&png_ptr->zstream, 0/*use stream windowBits*/);
|
ret = inflateReset2(&png_ptr->zstream, window_bits);
|
||||||
# endif
|
# endif
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -384,7 +385,7 @@ png_inflate_claim(png_structrp png_ptr, png_uint_32 owner)
|
|||||||
# if ZLIB_VERNUM < 0x1240
|
# if ZLIB_VERNUM < 0x1240
|
||||||
ret = inflateInit(&png_ptr->zstream);
|
ret = inflateInit(&png_ptr->zstream);
|
||||||
# else
|
# else
|
||||||
ret = inflateInit2(&png_ptr->zstream, 0/*use stream windowBits*/);
|
ret = inflateInit2(&png_ptr->zstream, window_bits);
|
||||||
# endif
|
# endif
|
||||||
|
|
||||||
if (ret == Z_OK)
|
if (ret == Z_OK)
|
||||||
@ -571,8 +572,14 @@ png_decompress_chunk(png_structrp png_ptr,
|
|||||||
if (limit < *newlength)
|
if (limit < *newlength)
|
||||||
*newlength = limit;
|
*newlength = limit;
|
||||||
|
|
||||||
/* Now try to claim the stream */
|
/* Now try to claim the stream; the 'warn' setting causes zlib to be told
|
||||||
ret = png_inflate_claim(png_ptr, png_ptr->chunk_name);
|
* to use the maximum window size during inflate; this hides errors in the
|
||||||
|
* deflate header window bits value which is used if '0' is passed. In
|
||||||
|
* fact this only has an effect with zlib versions 1.2.4 and later - see
|
||||||
|
* the comments in png_inflate_claim above.
|
||||||
|
*/
|
||||||
|
ret = png_inflate_claim(png_ptr, png_ptr->chunk_name,
|
||||||
|
png_ptr->flags & PNG_FLAG_BENIGN_ERRORS_WARN ? 15 : 0);
|
||||||
|
|
||||||
if (ret == Z_OK)
|
if (ret == Z_OK)
|
||||||
{
|
{
|
||||||
@ -584,11 +591,14 @@ png_decompress_chunk(png_structrp png_ptr,
|
|||||||
|
|
||||||
if (ret == Z_STREAM_END)
|
if (ret == Z_STREAM_END)
|
||||||
{
|
{
|
||||||
#if 1
|
/* Use 'inflateReset' here, not 'inflateReset2' because this
|
||||||
|
* preserves the previously decided window size (otherwise it would
|
||||||
|
* be necessary to store the previous window size.) In practice
|
||||||
|
* this doesn't matter anyway, because png_inflate will call inflate
|
||||||
|
* with Z_FINISH in almost all cases, so the window will not be
|
||||||
|
* maintained.
|
||||||
|
*/
|
||||||
if (inflateReset(&png_ptr->zstream) == Z_OK)
|
if (inflateReset(&png_ptr->zstream) == Z_OK)
|
||||||
#else
|
|
||||||
if (inflateReset2(&png_ptr->zstream, 0/*from stream*/) == Z_OK)
|
|
||||||
#endif
|
|
||||||
{
|
{
|
||||||
/* Because of the limit checks above we know that the new,
|
/* Because of the limit checks above we know that the new,
|
||||||
* expanded, size will fit in a size_t (let alone an
|
* expanded, size will fit in a size_t (let alone an
|
||||||
@ -3884,7 +3894,11 @@ png_read_IDAT_data(png_structrp png_ptr, png_bytep output,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Use NO_FLUSH; this gives zlib the maximum opportunity to optimize the
|
/* Use NO_FLUSH; this gives zlib the maximum opportunity to optimize the
|
||||||
* process.
|
* process. If the LZ stream is truncated the sequential reader will
|
||||||
|
* terminally damage the stream, above, by reading the chunk header of the
|
||||||
|
* following chunk (it then exits with png_error).
|
||||||
|
*
|
||||||
|
* TODO: deal more elegantly with truncated IDAT lists.
|
||||||
*/
|
*/
|
||||||
ret = inflate(&png_ptr->zstream, Z_NO_FLUSH);
|
ret = inflate(&png_ptr->zstream, Z_NO_FLUSH);
|
||||||
|
|
||||||
@ -4336,8 +4350,12 @@ defined(PNG_USER_TRANSFORM_PTR_SUPPORTED)
|
|||||||
png_free(png_ptr, buffer);
|
png_free(png_ptr, buffer);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Finally claim the zstream for the inflate of the IDAT data. */
|
/* Finally claim the zstream for the inflate of the IDAT data, use the bits
|
||||||
if (png_inflate_claim(png_ptr, png_IDAT) != Z_OK)
|
* value from the stream (note that this will result in a fatal error if the
|
||||||
|
* IDAT stream has a bogus deflate header window_bits value, but this should
|
||||||
|
* not be happening any longer!)
|
||||||
|
*/
|
||||||
|
if (png_inflate_claim(png_ptr, png_IDAT, 0) != Z_OK)
|
||||||
png_error(png_ptr, png_ptr->zstream.msg);
|
png_error(png_ptr, png_ptr->zstream.msg);
|
||||||
|
|
||||||
png_ptr->flags |= PNG_FLAG_ROW_INIT;
|
png_ptr->flags |= PNG_FLAG_ROW_INIT;
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user