[libpng16] Imported from libpng-1.6.0beta12.tar

2012-02-17 16:12:24 -06:00 · 2012-02-17 16:12:24 -06:00 · a4badc4b50
commit a4badc4b50
parent b0606ea043
4 changed files with 41 additions and 23 deletions
--- a/8
+++ b/8
@ -212,7 +212,13 @@ Version 1.6.0beta11 [February 16, 2012]
    Apps are responsible for checking to see if that happened.
 Version 1.6.0beta12 [February 17, 2012]
-  Increase num_palette to invalid_index + 1, not to invalid_index.
+  Do not increase num_palette on invalid_index.
  Relocated check for invalid palette index to pngrtran.c, after unpacking
    the sub-8-bit pixels.
  Fixed CVE-2011-3026 buffer overrun bug.  Deal more correctly with the test
    on iCCP chunk length. Also removed spurious casts that may hide problems
    on 16-bit systems.
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
--- a/7
+++ b/7
@ -3963,7 +3963,12 @@ Version 1.6.0beta11 [February 16, 2012]
    Apps are responsible for checking to see if that happened.
 Version 1.6.0beta12 [February 17, 2012]
-  Increase num_palette to invalid_index + 1, not to invalid_index.
+  Do not increase num_palette on invalid_index.
  Relocated check for invalid palette index to pngrtran.c, after unpacking
    the sub-8-bit pixels.
  Fixed CVE-2011-3026 buffer overrun bug.  Deal more correctly with the test
    on iCCP chunk length. Also removed spurious casts that may hide problems
    on 16-bit systems.
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
--- a/pngread.c
+++ b/pngread.c
@ -523,27 +523,6 @@ png_read_row(png_structrp png_ptr, png_bytep row, png_bytep dsp_row)
         png_error(png_ptr, "bad adaptive filter value");
   }
   if ((png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) &&
      (png_ptr->num_palette < (1 << png_ptr->bit_depth)))
   {
      if ((png_ptr->interlaced && png_ptr->pass == 6) ||
          (!png_ptr->interlaced && png_ptr->pass == 0))
      {
         png_uint_32 i;
         png_bytep rp = png_ptr->row_buf+1;
         for (i = 0; i <= row_info.rowbytes; i++)
         {
            if (*rp >= png_ptr->num_palette)
            {
               png_warning(png_ptr,"Found invalid palette index");
               png_ptr->num_palette=*rp + 1;
            }
            rp++;
         }
      }
   }
   /* libpng 1.5.6: the following line was copying png_ptr->rowbytes before
    * 1.5.6, while the buffer really is this big in current versions of libpng
    * it may not be in the future, so this was changed just to copy the
--- a/pngrtran.c
+++ b/pngrtran.c
@ -2294,6 +2294,34 @@ png_do_read_transformations(png_structrp png_ptr, png_row_infop row_info)
      png_do_unpack(row_info, png_ptr->row_buf + 1);
 #endif
 /* Added at libpng-1.6.0 */
 #ifdef PNG_CHECK_FOR_INVALID_INDEX_SUPPORTED
   /* To do: Fix does not check sub-8-bit rows that have not been unpacked. */
   if (row_info->color_type == PNG_COLOR_TYPE_PALETTE &&
      row_info->bit_depth == 8)
     if (png_ptr->num_palette < (1 << png_ptr->bit_depth))
     {
        if ((png_ptr->interlaced && png_ptr->pass == 6) ||
            (!png_ptr->interlaced && png_ptr->pass == 0))
        {
           png_uint_32 i;
           png_bytep rp = png_ptr->row_buf+1; /* +1 to skip the filter byte */
           for (i = 0; i <= row_info->rowbytes; i++)
           {
              if (*rp >= png_ptr->num_palette)
              {
                 /* Should this be a benign error instead of a warning? */
                 png_warning(png_ptr,"Found invalid palette index");
                 break;
              }
              rp++;
           }
        }
     }
 #endif
 #ifdef PNG_READ_BGR_SUPPORTED
   if (png_ptr->transformations & PNG_BGR)
      png_do_bgr(row_info, png_ptr->row_buf + 1);