diff --git a/ANNOUNCE b/ANNOUNCE index 14a015dd0..7147192b2 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -31,9 +31,12 @@ Version 1.6.18beta01 [April 01, 2015] bug report by Andrew Church). Fixed rgb_to_gray checks and added tRNS checks to pngvalid.c. This fixes some arithmetic errors that caused some tests to fail on - some 32-bit platforms. + some 32-bit platforms (Bug reports by Peter Breitenlohner [i686] + and Petr Gajdos [i586]). Version 1.6.18beta02 [April 1, 2015] + Suppressed some warnings from the Borland C++ 5.5.1/5.82 compiler + (Bug report by Viktor Szaka'ts). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/CHANGES b/CHANGES index 9122bf441..1d03f468c 100644 --- a/CHANGES +++ b/CHANGES @@ -5211,9 +5211,12 @@ Version 1.6.18beta01 [April 01, 2015] bug report by Andrew Church). Fixed rgb_to_gray checks and added tRNS checks to pngvalid.c. This fixes some arithmetic errors that caused some tests to fail on - some 32-bit platforms. + some 32-bit platforms (Bug reports by Peter Breitenlohner [i686] + and Petr Gajdos [i586]). Version 1.6.18beta02 [April 1, 2015] + Suppressed some warnings from the Borland C++ 5.5.1/5.82 compiler + (Bug report by Viktor Szaka'ts). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/png.c b/png.c index 0ba47217c..be76a9313 100644 --- a/png.c +++ b/png.c @@ -1,7 +1,7 @@ /* png.c - location for general purpose libpng functions * - * Last changed in libpng 1.6.17 [March 26, 2015] + * Last changed in libpng 1.6.18 [(PENDING RELEASE)] * Copyright (c) 1998-2015 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) @@ -2276,7 +2276,7 @@ png_compare_ICC_profile_with_sRGB(png_const_structrp png_ptr, /* Length *and* intent must match */ if (length == png_sRGB_checks[i].length && - intent == png_sRGB_checks[i].intent) + intent == (png_uint_32) png_sRGB_checks[i].intent) { /* Now calculate the adler32 if not done already. */ if (adler == 0) diff --git a/pngmem.c b/pngmem.c index 8b157e54d..45ac5579b 100644 --- a/pngmem.c +++ b/pngmem.c @@ -77,6 +77,9 @@ png_malloc_base,(png_const_structrp png_ptr, png_alloc_size_t size), PNG_UNUSED(png_ptr) #endif + /* Some compilers complain that this is always true. However, it + * can be false when integer overflow happens. + */ if (size > 0 && size <= PNG_SIZE_MAX # ifdef PNG_MAX_MALLOC_64K && size <= 65536U diff --git a/pngpread.c b/pngpread.c index 823dcad8c..e9bffb42b 100644 --- a/pngpread.c +++ b/pngpread.c @@ -1,7 +1,7 @@ /* pngpread.c - read a png file in push mode * - * Last changed in libpng 1.6.17 [March 26, 2015] + * Last changed in libpng 1.6.18 [(PENDING RELEASE)] * Copyright (c) 1998-2015 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) @@ -584,13 +584,11 @@ png_push_save_buffer(png_structrp png_ptr) if (png_ptr->save_buffer == NULL) { png_free(png_ptr, old_buffer); - old_buffer = NULL; png_error(png_ptr, "Insufficient memory for save_buffer"); } memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size); png_free(png_ptr, old_buffer); - old_buffer = NULL; png_ptr->save_buffer_max = new_max; } if (png_ptr->current_buffer_size) diff --git a/pngrtran.c b/pngrtran.c index cad7a8daa..0720f804c 100644 --- a/pngrtran.c +++ b/pngrtran.c @@ -1,7 +1,7 @@ /* pngrtran.c - transforms the data in a row for PNG readers * - * Last changed in libpng 1.6.17 [March 26, 2015] + * Last changed in libpng 1.6.18 [(PENDING RELEASE)] * Copyright (c) 1998-2015 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) @@ -4460,7 +4460,7 @@ png_do_expand(png_row_infop row_info, png_bytep row, for (i = 0; i < row_width; i++) { - if (*sp == gray) + if ((*sp & 0xff) == gray) *dp-- = 0; else @@ -4478,7 +4478,8 @@ png_do_expand(png_row_infop row_info, png_bytep row, dp = row + (row_info->rowbytes << 1) - 1; for (i = 0; i < row_width; i++) { - if (*(sp - 1) == gray_high && *(sp) == gray_low) + if ((*(sp - 1) & 0xff) == gray_high && + (*(sp) & 0xff) == gray_low) { *dp-- = 0; *dp-- = 0; diff --git a/pngrutil.c b/pngrutil.c index f5a8de77e..48edeb570 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -670,7 +670,6 @@ png_decompress_chunk(png_structrp png_ptr, * success) */ png_free(png_ptr, text); - text = NULL; /* This really is very benign, but it's still an error because * the extra space may otherwise be used as a Trojan Horse. @@ -1817,7 +1816,8 @@ png_handle_tRNS(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) return; } - if (length > png_ptr->num_palette || length > PNG_MAX_PALETTE_LENGTH || + if (length > png_ptr->num_palette || + length > (unsigned int) PNG_MAX_PALETTE_LENGTH || length == 0) { png_crc_finish(png_ptr, length); @@ -1980,7 +1980,7 @@ png_handle_hIST(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) num = length / 2 ; - if (num != png_ptr->num_palette || num > PNG_MAX_PALETTE_LENGTH) + if (num != png_ptr->num_palette || num > (unsigned int) PNG_MAX_PALETTE_LENGTH) { png_crc_finish(png_ptr, length); png_chunk_benign_error(png_ptr, "invalid"); diff --git a/pngset.c b/pngset.c index fce303916..a9a17979f 100644 --- a/pngset.c +++ b/pngset.c @@ -1,7 +1,7 @@ /* pngset.c - storage of image information into info struct * - * Last changed in libpng 1.6.17 [March 26, 2015] + * Last changed in libpng 1.6.18 [(PENDING RELEASE)] * Copyright (c) 1998-2015 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) @@ -673,7 +673,6 @@ png_set_iCCP(png_const_structrp png_ptr, png_inforp info_ptr, if (new_iccp_profile == NULL) { png_free(png_ptr, new_iccp_name); - new_iccp_name = NULL; png_benign_error(png_ptr, "Insufficient memory to process iCCP profile"); @@ -1522,6 +1521,9 @@ png_set_compression_buffer_size(png_structrp png_ptr, png_size_t size) } #ifndef __COVERITY__ + /* Some compilers complain that this is always false. However, it + * can be true when integer overflow happens. + */ if (size > ZLIB_IO_MAX) { png_warning(png_ptr, diff --git a/pngtrans.c b/pngtrans.c index cd3a79b6f..6d5a0cfd9 100644 --- a/pngtrans.c +++ b/pngtrans.c @@ -1,7 +1,7 @@ /* pngtrans.c - transforms the data in a row (used by both readers and writers) * - * Last changed in libpng 1.6.17 [March 26, 2015] + * Last changed in libpng 1.6.18 [(PENDING RELEASE)] * Copyright (c) 1998-2015 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) @@ -704,7 +704,7 @@ png_do_check_palette_indexes(png_structrp png_ptr, png_row_infop row_info) */ for (; rp > png_ptr->row_buf; rp--) { - if (*rp >> padding != 0) + if ((*rp >> padding) != 0) png_ptr->num_palette_max = 1; padding = 0; } diff --git a/pngwtran.c b/pngwtran.c index db82e27bc..07aa97cec 100644 --- a/pngwtran.c +++ b/pngwtran.c @@ -1,7 +1,7 @@ /* pngwtran.c - transforms the data in a row for PNG writers * - * Last changed in libpng 1.6.17 [March 26, 2015] + * Last changed in libpng 1.6.18 [(PENDING RELEASE)] * Copyright (c) 1998-2015 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) @@ -422,7 +422,7 @@ png_do_write_invert_alpha(png_row_infop row_info, png_bytep row) *(dp++) = *(sp++); */ sp+=3; dp = sp; - *(dp++) = (png_byte)(255 - *(sp++)); + *dp = (png_byte)(255 - *(sp++)); } } @@ -446,7 +446,7 @@ png_do_write_invert_alpha(png_row_infop row_info, png_bytep row) */ sp+=6; dp = sp; *(dp++) = (png_byte)(255 - *(sp++)); - *(dp++) = (png_byte)(255 - *(sp++)); + *dp = (png_byte)(255 - *(sp++)); } } #endif /* WRITE_16BIT */ @@ -484,7 +484,7 @@ png_do_write_invert_alpha(png_row_infop row_info, png_bytep row) */ sp+=2; dp = sp; *(dp++) = (png_byte)(255 - *(sp++)); - *(dp++) = (png_byte)(255 - *(sp++)); + *dp = (png_byte)(255 - *(sp++)); } } #endif /* WRITE_16BIT */