diff options
| author | John Bowler <jbowler@acm.org> | 2014-12-21 17:11:33 -0600 |
|---|---|---|
| committer | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2014-12-21 17:11:33 -0600 |
| commit | dc294204b641373bc6eb603075a8b98f51a75dd8 (patch) | |
| tree | 6ecb4faa2b825550fb3e6d8567309a4438329f8c | |
| parent | 06ee38423b2bea8741a8674ff9ee4135185b5ec6 (diff) | |
| download | libpng-dc294204b641373bc6eb603075a8b98f51a75dd8.tar.gz | |
[libpng16] Fixed an overflow in png_combine_row with very wide interlaced
images.
| -rw-r--r-- | ANNOUNCE | 19 | ||||
| -rw-r--r-- | CHANGES | 3 | ||||
| -rw-r--r-- | pngrutil.c | 6 |
3 files changed, 17 insertions, 11 deletions
@@ -1,4 +1,4 @@ -Libpng 1.6.16rc02 - December 21, 2014 +Libpng 1.6.16rc03 - December 21, 2014 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -8,20 +8,20 @@ Files available for download: Source files with LF line endings (for Unix/Linux) and with a "configure" script - 1.6.16rc02.tar.xz (LZMA-compressed, recommended) - 1.6.16rc02.tar.gz + 1.6.16rc03.tar.xz (LZMA-compressed, recommended) + 1.6.16rc03.tar.gz Source files with CRLF line endings (for Windows), without the "configure" script - lp1616r02.7z (LZMA-compressed, recommended) - lp1616r02.zip + lp1616r03.7z (LZMA-compressed, recommended) + lp1616r03.zip Other information: - 1.6.16rc02-README.txt - 1.6.16rc02-LICENSE.txt - libpng-1.6.16rc02-*.asc (armored detached GPG signatures) + 1.6.16rc03-README.txt + 1.6.16rc03-LICENSE.txt + libpng-1.6.16rc03-*.asc (armored detached GPG signatures) Changes since the last public release (1.6.15): @@ -45,6 +45,9 @@ Version 1.6.16rc01 [December 21, 2014] Version 1.6.16rc02 [December 21, 2014] Undid the update to pngrutil.c in 1.6.16rc01. +Version 1.6.16rc03 [December 21, 2014] + Fixed an overflow in png_combine_row with very wide interlaced images. + Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement @@ -5119,6 +5119,9 @@ Version 1.6.16rc01 [December 21, 2014] Version 1.6.16rc02 [December 21, 2014] Undid the update to pngrutil.c in 1.6.16rc01. +Version 1.6.16rc03 [December 21, 2014] + Fixed an overflow in png_combine_row with very wide interlaced images. + Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement diff --git a/pngrutil.c b/pngrutil.c index e9fdd6206..4c26be48c 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -3003,7 +3003,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display) { unsigned int pixel_depth = png_ptr->transformed_pixel_depth; png_const_bytep sp = png_ptr->row_buf + 1; - png_uint_32 row_width = png_ptr->width; + png_alloc_size_t row_width = png_ptr->width; unsigned int pass = png_ptr->pass; png_bytep end_ptr = 0; png_byte end_byte = 0; @@ -3278,7 +3278,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display) /* But don't allow this number to exceed the actual row width. */ if (bytes_to_copy > row_width) - bytes_to_copy = row_width; + bytes_to_copy = (unsigned int)/*SAFE*/row_width; } else /* normal row; Adam7 only ever gives us one pixel to copy. */ @@ -3458,7 +3458,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display) dp += bytes_to_jump; row_width -= bytes_to_jump; if (bytes_to_copy > row_width) - bytes_to_copy = row_width; + bytes_to_copy = (unsigned int)/*SAFE*/row_width; } } |