diff --git a/ANNOUNCE b/ANNOUNCE index 11520a22b..31e1cbb4e 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -28,6 +28,11 @@ Changes since the last public release (1.5.6): Version 1.5.7 [November 3, 2011] Added support for ARM processor (Mans Rullgard) + Fixed bug in pngvalid on early allocation failure; fixed type cast in + pngmem.c; pngvalid would attempt to call png_error() if the allocation + of a png_struct or png_info failed. This would probably have led to a + crash. The pngmem.c implementation of png_malloc() included a cast + to png_size_t which would fail on large allocations on 16-bit systems. Send comments/corrections/commendations to png-mng-implement at lists.sf.net: (subscription required; visit diff --git a/CHANGES b/CHANGES index 305ffeada..cc2ebea58 100644 --- a/CHANGES +++ b/CHANGES @@ -3671,6 +3671,11 @@ Version 1.5.6 [November 3, 2011] Version 1.5.7 [November 3, 2011] Added support for ARM processor (Mans Rullgard) + Fixed bug in pngvalid on early allocation failure; fixed type cast in + pngmem.c; pngvalid would attempt to call png_error() if the allocation + of a png_struct or png_info failed. This would probably have led to a + crash. The pngmem.c implementation of png_malloc() included a cast + to png_size_t which would fail on large allocations on 16-bit systems. Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/pngmem.c b/pngmem.c index ea606d6a6..756eb0150 100644 --- a/pngmem.c +++ b/pngmem.c @@ -1,7 +1,7 @@ /* pngmem.c - stub functions for memory allocation * - * Last changed in libpng 1.5.4 [July 7, 2011] + * Last changed in libpng 1.5.7 [(PENDING RELEASE)] * Copyright (c) 1998-2011 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) @@ -56,9 +56,9 @@ png_create_struct_2,(int type, png_malloc_ptr malloc_fn, png_voidp mem_ptr), if (malloc_fn != NULL) { png_struct dummy_struct; - png_structp png_ptr = &dummy_struct; - png_ptr->mem_ptr=mem_ptr; - struct_ptr = (*(malloc_fn))(png_ptr, (png_uint_32)size); + memset(&dummy_struct, 0, sizeof dummy_struct); + dummy_struct.mem_ptr=mem_ptr; + struct_ptr = (*(malloc_fn))(&dummy_struct, (png_alloc_size_t)size); } else @@ -90,9 +90,9 @@ png_destroy_struct_2(png_voidp struct_ptr, png_free_ptr free_fn, if (free_fn != NULL) { png_struct dummy_struct; - png_structp png_ptr = &dummy_struct; - png_ptr->mem_ptr=mem_ptr; - (*(free_fn))(png_ptr, struct_ptr); + memset(&dummy_struct, 0, sizeof dummy_struct); + dummy_struct.mem_ptr=mem_ptr; + (*(free_fn))(&dummy_struct, struct_ptr); return; } @@ -143,7 +143,7 @@ png_malloc,(png_structp png_ptr, png_alloc_size_t size),PNG_ALLOCATED) # ifdef PNG_USER_MEM_SUPPORTED if (png_ptr->malloc_fn != NULL) - ret = ((png_voidp)(*(png_ptr->malloc_fn))(png_ptr, (png_size_t)size)); + ret = ((png_voidp)(*(png_ptr->malloc_fn))(png_ptr, size)); else ret = (png_malloc_default(png_ptr, size)); diff --git a/pngpriv.h b/pngpriv.h index d0b7180eb..a9e68d69d 100644 --- a/pngpriv.h +++ b/pngpriv.h @@ -6,7 +6,7 @@ * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * - * Last changed in libpng 1.5.6 [(PENDING RELEASE)] + * Last changed in libpng 1.5.7 [(PENDING RELEASE)] * * This code is released under the libpng license. * For conditions of distribution and use, see the disclaimer diff --git a/pngrutil.c b/pngrutil.c index beb947b8e..fc96ca49d 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -1,7 +1,7 @@ /* pngrutil.c - utilities to read a PNG file * - * Last changed in libpng 1.5.6 [(PENDING RELEASE)] + * Last changed in libpng 1.5.7 [(PENDING RELEASE)] * Copyright (c) 1998-2011 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) diff --git a/pngvalid.c b/pngvalid.c index 434ce5337..14d198ac9 100644 --- a/pngvalid.c +++ b/pngvalid.c @@ -1,7 +1,7 @@ /* pngvalid.c - validate libpng by constructing then reading png files. * - * Last changed in libpng 1.5.6 [(PENDING RELEASE)] + * Last changed in libpng 1.5.7 [(PENDING RELEASE)] * Copyright (c) 2011 Glenn Randers-Pehrson * Written by John Cunningham Bowler * @@ -1332,7 +1332,21 @@ store_malloc(png_structp pp, png_alloc_size_t cb) } else - store_pool_error(pool->store, pp, "out of memory"); + { + /* NOTE: the PNG user malloc function cannot use the png_ptr it is passed + * other than to retrieve the allocation pointer! libpng calls the + * store_malloc callback in two basic cases: + * + * 1) From png_malloc; png_malloc will do a png_error itself if NULL is + * returned. + * 2) From png_struct or png_info structure creation; png_malloc is + * to return so cleanup can be performed. + * + * To handle this store_malloc can log a message, but can't do anything + * else. + */ + store_log(pool->store, pp, "out of memory", 1 /* is_error */); + } return new; } @@ -1343,6 +1357,14 @@ store_free(png_structp pp, png_voidp memory) store_pool *pool = voidcast(store_pool*, png_get_mem_ptr(pp)); store_memory *this = voidcast(store_memory*, memory), **test; + /* Because libpng calls store_free with a dummy png_struct when deleting + * png_struct or png_info via png_destroy_struct_2 it is necessary to check + * the passed in png_structp to ensure it is valid, and not pass it to + * png_error if it is not. + */ + if (pp != pool->store->pread && pp != pool->store->pwrite) + pp = NULL; + /* First check that this 'memory' really is valid memory - it must be in the * pool list. If it is, use the shared memory_free function to free it. */