From dc294204b641373bc6eb603075a8b98f51a75dd8 Mon Sep 17 00:00:00 2001 From: John Bowler Date: Sun, 21 Dec 2014 17:11:33 -0600 Subject: [PATCH] [libpng16] Fixed an overflow in png_combine_row with very wide interlaced images. --- ANNOUNCE | 19 +++++++++++-------- CHANGES | 3 +++ pngrutil.c | 6 +++--- 3 files changed, 17 insertions(+), 11 deletions(-) diff --git a/ANNOUNCE b/ANNOUNCE index b9efa722e..e85eca1d2 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,4 +1,4 @@ -Libpng 1.6.16rc02 - December 21, 2014 +Libpng 1.6.16rc03 - December 21, 2014 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -8,20 +8,20 @@ Files available for download: Source files with LF line endings (for Unix/Linux) and with a "configure" script - 1.6.16rc02.tar.xz (LZMA-compressed, recommended) - 1.6.16rc02.tar.gz + 1.6.16rc03.tar.xz (LZMA-compressed, recommended) + 1.6.16rc03.tar.gz Source files with CRLF line endings (for Windows), without the "configure" script - lp1616r02.7z (LZMA-compressed, recommended) - lp1616r02.zip + lp1616r03.7z (LZMA-compressed, recommended) + lp1616r03.zip Other information: - 1.6.16rc02-README.txt - 1.6.16rc02-LICENSE.txt - libpng-1.6.16rc02-*.asc (armored detached GPG signatures) + 1.6.16rc03-README.txt + 1.6.16rc03-LICENSE.txt + libpng-1.6.16rc03-*.asc (armored detached GPG signatures) Changes since the last public release (1.6.15): @@ -45,6 +45,9 @@ Version 1.6.16rc01 [December 21, 2014] Version 1.6.16rc02 [December 21, 2014] Undid the update to pngrutil.c in 1.6.16rc01. +Version 1.6.16rc03 [December 21, 2014] + Fixed an overflow in png_combine_row with very wide interlaced images. + Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement diff --git a/CHANGES b/CHANGES index e0d3fc9a2..6f137c1dc 100644 --- a/CHANGES +++ b/CHANGES @@ -5119,6 +5119,9 @@ Version 1.6.16rc01 [December 21, 2014] Version 1.6.16rc02 [December 21, 2014] Undid the update to pngrutil.c in 1.6.16rc01. +Version 1.6.16rc03 [December 21, 2014] + Fixed an overflow in png_combine_row with very wide interlaced images. + Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement diff --git a/pngrutil.c b/pngrutil.c index e9fdd6206..4c26be48c 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -3003,7 +3003,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display) { unsigned int pixel_depth = png_ptr->transformed_pixel_depth; png_const_bytep sp = png_ptr->row_buf + 1; - png_uint_32 row_width = png_ptr->width; + png_alloc_size_t row_width = png_ptr->width; unsigned int pass = png_ptr->pass; png_bytep end_ptr = 0; png_byte end_byte = 0; @@ -3278,7 +3278,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display) /* But don't allow this number to exceed the actual row width. */ if (bytes_to_copy > row_width) - bytes_to_copy = row_width; + bytes_to_copy = (unsigned int)/*SAFE*/row_width; } else /* normal row; Adam7 only ever gives us one pixel to copy. */ @@ -3458,7 +3458,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display) dp += bytes_to_jump; row_width -= bytes_to_jump; if (bytes_to_copy > row_width) - bytes_to_copy = row_width; + bytes_to_copy = (unsigned int)/*SAFE*/row_width; } }