diff options
author | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2012-02-17 16:12:24 -0600 |
---|---|---|
committer | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2012-02-17 17:07:54 -0600 |
commit | a4badc4b50a2ff97dbdfb0819dac4ac5ca400302 (patch) | |
tree | 739dea2a62e198f11535717727d218835a32167b | |
parent | b0606ea0432955e22a271d10a49b5fd2f2eb7198 (diff) | |
download | libpng-1.6.0beta12.tar.gz |
[libpng16] Imported from libpng-1.6.0beta12.tarv1.6.0beta12
-rw-r--r-- | ANNOUNCE | 8 | ||||
-rw-r--r-- | CHANGES | 7 | ||||
-rw-r--r-- | pngread.c | 21 | ||||
-rw-r--r-- | pngrtran.c | 28 |
4 files changed, 41 insertions, 23 deletions
@@ -212,7 +212,13 @@ Version 1.6.0beta11 [February 16, 2012] Apps are responsible for checking to see if that happened. Version 1.6.0beta12 [February 17, 2012] - Increase num_palette to invalid_index + 1, not to invalid_index. + Do not increase num_palette on invalid_index. + Relocated check for invalid palette index to pngrtran.c, after unpacking + the sub-8-bit pixels. + Fixed CVE-2011-3026 buffer overrun bug. Deal more correctly with the test + on iCCP chunk length. Also removed spurious casts that may hide problems + on 16-bit systems. + Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit @@ -3963,7 +3963,12 @@ Version 1.6.0beta11 [February 16, 2012] Apps are responsible for checking to see if that happened. Version 1.6.0beta12 [February 17, 2012] - Increase num_palette to invalid_index + 1, not to invalid_index. + Do not increase num_palette on invalid_index. + Relocated check for invalid palette index to pngrtran.c, after unpacking + the sub-8-bit pixels. + Fixed CVE-2011-3026 buffer overrun bug. Deal more correctly with the test + on iCCP chunk length. Also removed spurious casts that may hide problems + on 16-bit systems. Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit @@ -523,27 +523,6 @@ png_read_row(png_structrp png_ptr, png_bytep row, png_bytep dsp_row) png_error(png_ptr, "bad adaptive filter value"); } - if ((png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) && - (png_ptr->num_palette < (1 << png_ptr->bit_depth))) - { - if ((png_ptr->interlaced && png_ptr->pass == 6) || - (!png_ptr->interlaced && png_ptr->pass == 0)) - { - png_uint_32 i; - png_bytep rp = png_ptr->row_buf+1; - - for (i = 0; i <= row_info.rowbytes; i++) - { - if (*rp >= png_ptr->num_palette) - { - png_warning(png_ptr,"Found invalid palette index"); - png_ptr->num_palette=*rp + 1; - } - rp++; - } - } - } - /* libpng 1.5.6: the following line was copying png_ptr->rowbytes before * 1.5.6, while the buffer really is this big in current versions of libpng * it may not be in the future, so this was changed just to copy the diff --git a/pngrtran.c b/pngrtran.c index 19939477f..8d7ec8821 100644 --- a/pngrtran.c +++ b/pngrtran.c @@ -2294,6 +2294,34 @@ png_do_read_transformations(png_structrp png_ptr, png_row_infop row_info) png_do_unpack(row_info, png_ptr->row_buf + 1); #endif +/* Added at libpng-1.6.0 */ +#ifdef PNG_CHECK_FOR_INVALID_INDEX_SUPPORTED + /* To do: Fix does not check sub-8-bit rows that have not been unpacked. */ + if (row_info->color_type == PNG_COLOR_TYPE_PALETTE && + row_info->bit_depth == 8) + if (png_ptr->num_palette < (1 << png_ptr->bit_depth)) + { + if ((png_ptr->interlaced && png_ptr->pass == 6) || + (!png_ptr->interlaced && png_ptr->pass == 0)) + { + png_uint_32 i; + png_bytep rp = png_ptr->row_buf+1; /* +1 to skip the filter byte */ + + for (i = 0; i <= row_info->rowbytes; i++) + { + if (*rp >= png_ptr->num_palette) + { + /* Should this be a benign error instead of a warning? */ + png_warning(png_ptr,"Found invalid palette index"); + break; + } + + rp++; + } + } + } +#endif + #ifdef PNG_READ_BGR_SUPPORTED if (png_ptr->transformations & PNG_BGR) png_do_bgr(row_info, png_ptr->row_buf + 1); |