From e34f80e5aa20c7b0d17d681290aa21cfcb027ba6 Mon Sep 17 00:00:00 2001
From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
Date: Wed, 13 Oct 2010 06:55:30 -0500
Subject: [PATCH] [devel] Check for out-of-range text compression mode in
 png_set_text().

---
 ANNOUNCE | 7 ++++---
 CHANGES  | 3 ++-
 pngset.c | 8 +++++++-
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/ANNOUNCE b/ANNOUNCE
index d568bc2c7..540742201 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,5 +1,5 @@
 
-Libpng 1.5.0beta50 - October 12, 2010
+Libpng 1.5.0beta50 - October 13, 2010
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -226,7 +226,7 @@ version 1.5.0beta24 [May 7, 2010]
     offset of the png_ptr->rowbuf pointer into png_ptr->big_row_buf.
   Added more blank lines for readability.
 
-version 1.5.0beta25 [October 12, 2010]
+version 1.5.0beta25 [October 13, 2010]
   In pngpread.c: png_push_have_row() add check for new_row > height
   Removed the now-redundant check for out-of-bounds new_row from example.c
 
@@ -408,10 +408,11 @@ Version 1.5.0beta48 [October 4, 2010]
 Version 1.5.0beta49 [October 8, 2010]
   Undid Makefile.am revision of 1.5.0beta48.
 
-Version 1.5.0beta50 [October 12, 2010]
+Version 1.5.0beta50 [October 13, 2010]
   Revised Makefile.in to account for mkinstalldirs being removed.
   Added some "(unsigned long)" typecasts in printf statements in pngvalid.c.
   Suppressed a compiler warning in png_handle_sPLT().
+  Check for out-of-range text compression mode in png_set_text().
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net:
 (subscription required; visit
diff --git a/CHANGES b/CHANGES
index 2fea8a127..086f9312a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3046,10 +3046,11 @@ Version 1.5.0beta48 [October 4, 2010]
 Version 1.5.0beta49 [October 8, 2010]
   Undid Makefile.am revision of 1.5.0beta48.
 
-Version 1.5.0beta50 [October 12, 2010]
+Version 1.5.0beta50 [October 13, 2010]
   Revised Makefile.in to account for mkinstalldirs being removed.
   Added some "(unsigned long)" typecasts in printf statements in pngvalid.c.
   Suppressed a compiler warning in png_handle_sPLT().
+  Check for out-of-range text compression mode in png_set_text().
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/pngset.c b/pngset.c
index 341826498..e49bf6dc4 100644
--- a/pngset.c
+++ b/pngset.c
@@ -1,7 +1,7 @@
 
 /* pngset.c - storage of image information into info struct
  *
- * Last changed in libpng 1.5.0 [October 8, 2010]
+ * Last changed in libpng 1.5.0 [October 13, 2010]
  * Copyright (c) 1998-2010 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -679,6 +679,12 @@ png_set_text_2(png_structp png_ptr, png_infop info_ptr,
 
       key_len = png_strlen(text_ptr[i].key);
 
+      if (text_ptr[i].compression >= PNG_TEXT_COMPRESSION_LAST)
+      {
+         png_warning(png_ptr, "text compression mode is out of range");
+         continue;
+      }
+
       if (text_ptr[i].compression <= 0)
       {
          lang_len = 0;