This removes the use of a macro containing the pre-processor 'defined'
operator. It is unclear whether this is valid; a macro which
"generates" 'defined' is not permitted, but the use of the work
"generates" within the C90 standard seems to imply more than simple
substitution of an expression itself containing a well-formed defined
operation.
Signed-off-by: John Bowler <jbowler@acm.org>
Remove all currently detected cases of unsigned overflow. Detection is
runtime, so test case dependent. The changes to pngvalid.c eliminate
spurious and probably invalid tests with one while loop exception.
Apart from that and the change to the dependence on the intended
unsigned overflow in pngtrans.c the changes are limited to altering the
meme for an unsigned 'x' from:
while (x-- > 0)
to
for (; x > 0; --x)
This works because, in all cases, the control variable is not used in
the loop. The 'while' meme was, at one time, warn'ed by GCC so it is
probably a good change, for some weird religious value of good.
Signed-off-by: John Bowler <jbowler@acm.org>
When an input file contains a zero length IDAT and pngfix is not applying the
IDAT rechunking (--max) option pngfix will go into a loop writing the zero
length IDAT for ever.
This is a fairly minor issue for interactive use; zero length IDAT is very rare,
the problem is obvious (pngfix hangs) and the fix (use --max, or --max=4096
etc), while not obvious, is easy.
For non-interactive use, e.g. trying to automatically repair a PNG that cannot
be read by libpng, there are security consequences:
1) pngfix hangs. This may permit a DoS attack.
2) When the --out option is used pngfix will just keep writing. This is a very
likely DoS scenario.
Signed-off-by: John Bowler <jbowler@acm.org>
The fixed size buffer for the file name being processed could have a byte
written beyond the end; a bug where the test was updated without changing the
size of the buffer. This commit reduces the buffer to the system maximum.
png_getrowbytes could, in theory, return 0; probably only if there is a bug in
libpng but the code now checks.
Signed-off-by: John Bowler <jbowler@acm.org>
In libpng 1.7 pngimage needs to check PNG_WRITE_PNG_SUPPORTED (new in 1.7), not
PNG_WRITE_SUPPORTED because png_write_png can be disabled without disabling
PNG_WRITE_SUPPORTED. Copied the approach from 1.6 pngcp.c (so this still works
in 1.6 as well.)
If PNG_PNGCP_TIMING_SUPPORTED is defined maximal resolution CPU time logging of
png_read_png and png_write_png is enabled via the --time command line option.
This is not on by default but is enabled by contrib/conftests/pngcp.dfa
Signed-off-by: John Bowler <jbowler@acm.org>
This adds pngcp to the build together with a pngcp.dfa configuration test; the
test revealed some configuration bugs which are fixed by corrections to the
_SUPPORTED macros.
pngcp builds on all tested configurations and a number of bugs have been fixed
to make this happen relative to the version in libpng 1.7 contrib/examples.
pngcp.dfa will have to be different for 1.7 but pngcp.c should work fine (not
yet tested). pngcp itself is still missing a usage message; this is a
preliminary version, although since it behaves the same way as 'cp' most unoids
shouldn't have a problem using it correctly.
Signed-off-by: John Bowler <jbowler@acm.org>
The SKIP definition needs to come after the png.h include (see all the other .c
files in contrib/libtests) because it depends on PNG_LIBPNG_VER. This commit
puts it in the correct place.
Signed-off-by: John Bowler <jbowler@acm.org>
MSVC does not like (uInt) = -(unsigned) (i.e. as an initializer), but it is fine
with it if the conversion is explicitly invoked by a cast.
Signed-off-by: John Bowler <jbowler@acm.org>
Coverity rejects code where an array element count has type size_t, this
elminates the code in question from contrib/libtests/pngvalid.c
Signed-off-by: John Bowler <jbowler@acm.org>
The previous version of the code invariably passed just one byte at a time to
libpng. The intention was to pass a random number of bytes in the range 0..511
(and this is what happens now).
Signed-off-by: John Bowler <jbowler@acm.org>
- memcpy-free implementations of load3() / store3().
These should have less variance compiler to compiler.
- call load3() only when needed at the end of a scanline.
In the middle, we can use the faster load4(), ignoring that byte.
The code no longer gives up/fails on invalid PNG data, it just skips it (with
error messages). The code no longer fails on PNG files with data beyond IEND.
Options exist to use png_read_png (reading the whole image, not by row) and, in
that case, to apply any of the supported transforms. This makes for more
realistic testing; the decoded data actually gets used in a meaningful fashion.
Signed-off-by: John Bowler <jbowler@acm.org>
The macro underreported the size (by up to 512 bytes) of an 8-bit non-color
palette based memory format because it failed to take into account that the
memory palette has to be expanded to full RGB when it is written to PNG.
This is not likely to be a serious bug because the macro is new, the memory
format in question is likely to be rarely used and the result of an undersized
buffer fails in a safe way.
Signed-off-by: John Bowler <jbowler@acm.org>
This is the test backported from 1.7 to ensure that when treating IDATs as
unknown the test does not fail if there are more than one IDAT chunks in the
file.
Signed-off-by: John Bowler <jbowler@acm.org>
This implements an API and provides a number of assist macros to allow an
application which uses the simplified API write to bypass stdio and write
directly to memory.
It also includes some warnings (png.h) and some check code to detect *possible*
overflow in the ROW_STRIDE and simplified image SIZE macros. This disallows
image width/height/format that *might* overflow. A quiet API change that limits
in-memory image size (uncompressed) to less that 4GByte and image row size
(stride) to less than 2GByte.
Signed-off-by: John Bowler <jbowler@acm.org>
Undefined because (png_byte) << shift is undefined if it changes the signed bit
(because png_byte is promoted to int). The libpng exported functions
png_get_uint_32 and png_get_uint_16 handle this.
Bug reported by David Drysdale as a result of reports from UBSAN in clang 3.8.
This changes pngvalid to use BE random numbers; this used to produce errors but
these should not be fixed as a result of the previous changes.
Signed-off-by: John Bowler <jbowler@acm.org>
