[libpng16] Fixed an overflow in png_combine_row with very wide interlaced

images.
This commit is contained in:
John Bowler 2014-12-21 17:11:33 -06:00 committed by Glenn Randers-Pehrson
parent 06ee38423b
commit dc294204b6
3 changed files with 17 additions and 11 deletions

View File

@ -1,4 +1,4 @@
Libpng 1.6.16rc02 - December 21, 2014 Libpng 1.6.16rc03 - December 21, 2014
This is not intended to be a public release. It will be replaced This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version. within a few weeks by a public version or by another test version.
@ -8,20 +8,20 @@ Files available for download:
Source files with LF line endings (for Unix/Linux) and with a Source files with LF line endings (for Unix/Linux) and with a
"configure" script "configure" script
1.6.16rc02.tar.xz (LZMA-compressed, recommended) 1.6.16rc03.tar.xz (LZMA-compressed, recommended)
1.6.16rc02.tar.gz 1.6.16rc03.tar.gz
Source files with CRLF line endings (for Windows), without the Source files with CRLF line endings (for Windows), without the
"configure" script "configure" script
lp1616r02.7z (LZMA-compressed, recommended) lp1616r03.7z (LZMA-compressed, recommended)
lp1616r02.zip lp1616r03.zip
Other information: Other information:
1.6.16rc02-README.txt 1.6.16rc03-README.txt
1.6.16rc02-LICENSE.txt 1.6.16rc03-LICENSE.txt
libpng-1.6.16rc02-*.asc (armored detached GPG signatures) libpng-1.6.16rc03-*.asc (armored detached GPG signatures)
Changes since the last public release (1.6.15): Changes since the last public release (1.6.15):
@ -45,6 +45,9 @@ Version 1.6.16rc01 [December 21, 2014]
Version 1.6.16rc02 [December 21, 2014] Version 1.6.16rc02 [December 21, 2014]
Undid the update to pngrutil.c in 1.6.16rc01. Undid the update to pngrutil.c in 1.6.16rc01.
Version 1.6.16rc03 [December 21, 2014]
Fixed an overflow in png_combine_row with very wide interlaced images.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit
https://lists.sourceforge.net/lists/listinfo/png-mng-implement https://lists.sourceforge.net/lists/listinfo/png-mng-implement

View File

@ -5119,6 +5119,9 @@ Version 1.6.16rc01 [December 21, 2014]
Version 1.6.16rc02 [December 21, 2014] Version 1.6.16rc02 [December 21, 2014]
Undid the update to pngrutil.c in 1.6.16rc01. Undid the update to pngrutil.c in 1.6.16rc01.
Version 1.6.16rc03 [December 21, 2014]
Fixed an overflow in png_combine_row with very wide interlaced images.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit
https://lists.sourceforge.net/lists/listinfo/png-mng-implement https://lists.sourceforge.net/lists/listinfo/png-mng-implement

View File

@ -3003,7 +3003,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
{ {
unsigned int pixel_depth = png_ptr->transformed_pixel_depth; unsigned int pixel_depth = png_ptr->transformed_pixel_depth;
png_const_bytep sp = png_ptr->row_buf + 1; png_const_bytep sp = png_ptr->row_buf + 1;
png_uint_32 row_width = png_ptr->width; png_alloc_size_t row_width = png_ptr->width;
unsigned int pass = png_ptr->pass; unsigned int pass = png_ptr->pass;
png_bytep end_ptr = 0; png_bytep end_ptr = 0;
png_byte end_byte = 0; png_byte end_byte = 0;
@ -3278,7 +3278,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
/* But don't allow this number to exceed the actual row width. */ /* But don't allow this number to exceed the actual row width. */
if (bytes_to_copy > row_width) if (bytes_to_copy > row_width)
bytes_to_copy = row_width; bytes_to_copy = (unsigned int)/*SAFE*/row_width;
} }
else /* normal row; Adam7 only ever gives us one pixel to copy. */ else /* normal row; Adam7 only ever gives us one pixel to copy. */
@ -3458,7 +3458,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
dp += bytes_to_jump; dp += bytes_to_jump;
row_width -= bytes_to_jump; row_width -= bytes_to_jump;
if (bytes_to_copy > row_width) if (bytes_to_copy > row_width)
bytes_to_copy = row_width; bytes_to_copy = (unsigned int)/*SAFE*/row_width;
} }
} }