[libpng16] Imported from libpng-1.6.0beta20.tarv1.6.0beta20

18 files changed, 91 insertions, 43 deletions

diff --git a/ANNOUNCE b/ANNOUNCE
index bef84dc7c..c76da0d90 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -346,7 +346,8 @@ Version 1.6.0beta20 [March 29, 2012]
   Recognize known sRGB ICC profiles while reading; prefer writing the
     iCCP profile over writing the sRGB chunk, controlled by the
     PNG_sRGB_PROFILE_CHECKS option.
-  Revised png_set_text_2() to avoid potential memory corruption.
+  Revised png_set_text_2() to avoid potential memory corruption (fixes
+    CVE-2011-3048).
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/CHANGES b/CHANGES
index 973209240..aaf48c9ad 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4097,7 +4097,8 @@ Version 1.6.0beta20 [March 29, 2012]
   Recognize known sRGB ICC profiles while reading; prefer writing the
     iCCP profile over writing the sRGB chunk, controlled by the
     PNG_sRGB_PROFILE_CHECKS option.
-  Revised png_set_text_2() to avoid a potential memory corruption.
+  Revised png_set_text_2() to avoid potential memory corruption (fixes
+    CVE-2011-3048).
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/LICENSE b/LICENSE
index 2d5fa7c76..c4dc83528 100644
--- a/LICENSE
+++ b/LICENSE
@@ -10,7 +10,7 @@ this sentence.
 
 This code is released under the libpng license.
 
-libpng versions 1.2.6, August 15, 2004, through 1.6.0beta20, March 19, 2012, are
+libpng versions 1.2.6, August 15, 2004, through 1.6.0beta20, March 29, 2012, are
 Copyright (c) 2004, 2006-2011 Glenn Randers-Pehrson, and are
 distributed according to the same disclaimer and license as libpng-1.2.5
 with the following individual added to the list of Contributing Authors
@@ -108,4 +108,4 @@ certification mark of the Open Source Initiative.
 
 Glenn Randers-Pehrson
 glennrp at users.sourceforge.net
-March 19, 2012
+March 29, 2012
diff --git a/README b/README
index 86f689a1b..98e42e832 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
-README for libpng version 1.6.0beta20 - March 19, 2012 (shared library 16.0)
+README for libpng version 1.6.0beta20 - March 29, 2012 (shared library 16.0)
 See the note about version numbers near the top of png.h
 
 See INSTALL for instructions on how to install libpng.
diff --git a/check_icc.c b/check_icc.c
new file mode 100644
index 000000000..ec74a7b04
--- /dev/null
+++ b/check_icc.c
@@ -0,0 +1,37 @@
+             {
+                 int
+                   icheck;
+
+                 /* 0: not a known sRGB profile
+                  * 1: HP-Microsoft sRGB v2
+                  * 2: ICC sRGB v4 perceptual
+                  * 3: ICC sRGB v2 perceptual no black-compensation
+                  */
+                 png_uint_32
+                   check_crc[4] = {0, 0xf29e526dUL, 0xbbef7812UL, 0x427ebb21UL},
+                   check_len[4] = {0, 3144, 60960, 3052};
+
+                 png_uint_32
+                   length,
+                   profile_crc;
+
+                 unsigned char
+                   *data;
+
+                 length=(png_uint_32) ...;
+
+                 for (icheck=3; icheck > 0; icheck--)
+                 {
+                   if (length == check_len[icheck])
+                   {
+                     data=...(profile);
+                     profile_crc=crc32(0,data,length);
+
+                     if (profile_crc == check_crc[icheck])
+                     {
+                        /* set sRGB.... */
+                        break;
+                     }
+                   }
+                 }
+              }
diff --git a/contrib/libtests/makepng.c b/contrib/libtests/makepng.c
index b1a2ef830..a0bfb4bae 100644
--- a/contrib/libtests/makepng.c
+++ b/contrib/libtests/makepng.c
@@ -417,6 +417,8 @@ write_png(FILE *fp, int color_type, int bit_depth,
       return 1;
    }
 
+   /* Allow benign errors so that we can write PNGs with errors */
+   png_set_benign_errors(png_ptr, 1/*allowed*/);
    png_init_io(png_ptr, fp);
 
    info_ptr = png_create_info_struct(png_ptr);
diff --git a/contrib/tools/checksum-icc.c b/contrib/tools/checksum-icc.c
index b7f51d1ae..74b3c3f03 100644
--- a/contrib/tools/checksum-icc.c
+++ b/contrib/tools/checksum-icc.c
@@ -44,17 +44,18 @@ read_one_file(FILE *ip, const char *name)
       return 0;
 
    /* Success */
-   printf("{ 0x%8.8lx, 0x%8.8lx, "
-      "0x%2.2x%2.2x%2.2x%2.2x, 0x%2.2x%2.2x%2.2x%2.2x, "
-      "0x%2.2x%2.2x%2.2x%2.2x, 0x%2.2x%2.2x%2.2x%2.2x,\n"
-      "  \"%4.4d/%2.2d/%2.2d %2.2d:%2.2d:%2.2d\", %lu, \"%s\" },\n",
+   printf("PNG_ICC_CHECKSUM(0x%8.8lx, 0x%8.8lx,\n   PNG_MD5("
+      "0x%2.2x%2.2x%2.2x%2.2x, 0x%2.2x%2.2x%2.2x%2.2x, 0x%2.2x%2.2x%2.2x%2.2x,"
+      " 0x%2.2x%2.2x%2.2x%2.2x), %d,\n"
+      "   \"%4.4d/%2.2d/%2.2d %2.2d:%2.2d:%2.2d\", %lu, \"%s\")\n",
       (unsigned long)a32, (unsigned long)c32,
       header[84], header[85], header[86], header[87],
       header[88], header[89], header[90], header[91],
       header[92], header[93], header[94], header[95],
       header[96], header[97], header[98], header[99],
 #     define u16(x) (header[x] * 256 + header[x+1])
-      u16(24), u16(26), u16(28), u16(30), u16(32), u16(34),
+#     define u32(x) (u16(x) * 65536 + u16(x+2))
+      u32(64), u16(24), u16(26), u16(28), u16(30), u16(32), u16(34),
       (unsigned long)length, name);
 
    return 1;
@@ -64,8 +65,7 @@ int main(int argc, char **argv)
 {
    int err = 0;
 
-   printf("= {\n/* adler32       crc32                        MD5\n"
-         "           date         length       name */\n");
+   printf("/* adler32, crc32, MD5[16], intent, date, length, file-name */\n");
 
    if (argc > 1)
    {
@@ -80,7 +80,7 @@ int main(int argc, char **argv)
             err = 1;
             perror(argv[i]);
             fprintf(stderr, "%s: read error\n", argv[i]);
-            printf(" { 0, 0, 0, /* ERROR: */, \"%s\" },\n", argv[i]);
+            printf("/* ERROR: %s */\n", argv[i]);
          }
 
          (void)fclose(ip);
@@ -94,11 +94,9 @@ int main(int argc, char **argv)
          err = 1;
          perror("stdin");
          fprintf(stderr, "stdin: read error\n");
-         printf(" { 0, 0, 0, /* ERROR: */, \"-\" },\n");
+         printf("/* ERROR: stdin */\n");
       }
    }
 
-   printf("};\n");
-
    return err;
 }
diff --git a/libpng-manual.txt b/libpng-manual.txt
index 60096397a..2a5a0efb0 100644
--- a/libpng-manual.txt
+++ b/libpng-manual.txt
@@ -1,6 +1,6 @@
 libpng-manual.txt - A description on how to use and modify libpng
 
- libpng version 1.6.0beta20 - March 19, 2012
+ libpng version 1.6.0beta20 - March 29, 2012
  Updated and distributed by Glenn Randers-Pehrson
  <glennrp at users.sourceforge.net>
  Copyright (c) 1998-2011 Glenn Randers-Pehrson
@@ -11,7 +11,7 @@ libpng-manual.txt - A description on how to use and modify libpng
 
  Based on:
 
- libpng versions 0.97, January 1998, through 1.6.0beta20 - March 19, 2012
+ libpng versions 0.97, January 1998, through 1.6.0beta20 - March 29, 2012
  Updated and distributed by Glenn Randers-Pehrson
  Copyright (c) 1998-2011 Glenn Randers-Pehrson
 
@@ -5003,7 +5003,7 @@ Other rules can be inferred by inspecting the libpng source.
 
 XVI. Y2K Compliance in libpng
 
-March 19, 2012
+March 29, 2012
 
 Since the PNG Development group is an ad-hoc body, we can't make
 an official declaration.
diff --git a/libpng.3 b/libpng.3
index 9e4485946..e91972341 100644
--- a/libpng.3
+++ b/libpng.3
@@ -1,4 +1,4 @@
-.TH LIBPNG 3 "March 19, 2012"
+.TH LIBPNG 3 "March 29, 2012"
 .SH NAME
 libpng \- Portable Network Graphics (PNG) Reference Library 1.6.0beta20
 .SH SYNOPSIS
@@ -1007,7 +1007,7 @@ Following is a copy of the libpng-manual.txt file that accompanies libpng.
 .SH LIBPNG.TXT
 libpng-manual.txt - A description on how to use and modify libpng
 
- libpng version 1.6.0beta20 - March 19, 2012
+ libpng version 1.6.0beta20 - March 29, 2012
  Updated and distributed by Glenn Randers-Pehrson
  <glennrp at users.sourceforge.net>
  Copyright (c) 1998-2011 Glenn Randers-Pehrson
@@ -1018,7 +1018,7 @@ libpng-manual.txt - A description on how to use and modify libpng
 
  Based on:
 
- libpng versions 0.97, January 1998, through 1.6.0beta20 - March 19, 2012
+ libpng versions 0.97, January 1998, through 1.6.0beta20 - March 29, 2012
  Updated and distributed by Glenn Randers-Pehrson
  Copyright (c) 1998-2011 Glenn Randers-Pehrson
 
@@ -6011,7 +6011,7 @@ Other rules can be inferred by inspecting the libpng source.
 
 .SH XVI. Y2K Compliance in libpng
 
-March 19, 2012
+March 29, 2012
 
 Since the PNG Development group is an ad-hoc body, we can't make
 an official declaration.
@@ -6279,7 +6279,7 @@ possible without all of you.
 
 Thanks to Frank J. T. Wojcik for helping with the documentation.
 
-Libpng version 1.6.0beta20 - March 19, 2012:
+Libpng version 1.6.0beta20 - March 29, 2012:
 Initially created in 1995 by Guy Eric Schalnat, then of Group 42, Inc.
 Currently maintained by Glenn Randers-Pehrson (glennrp at users.sourceforge.net).
 
@@ -6302,7 +6302,7 @@ this sentence.
 
 This code is released under the libpng license.
 
-libpng versions 1.2.6, August 15, 2004, through 1.6.0beta20, March 19, 2012, are
+libpng versions 1.2.6, August 15, 2004, through 1.6.0beta20, March 29, 2012, are
 Copyright (c) 2004,2006-2007 Glenn Randers-Pehrson, and are
 distributed according to the same disclaimer and license as libpng-1.2.5
 with the following individual added to the list of Contributing Authors
@@ -6401,7 +6401,7 @@ certification mark of the Open Source Initiative.
 
 Glenn Randers-Pehrson
 glennrp at users.sourceforge.net
-March 19, 2012
+March 29, 2012
 
 .\" end of man page
 
diff --git a/libpngpf.3 b/libpngpf.3
index 003d1554b..4a18df656 100644
--- a/libpngpf.3
+++ b/libpngpf.3
@@ -1,4 +1,4 @@
-.TH LIBPNGPF 3 "March 19, 2012"
+.TH LIBPNGPF 3 "March 29, 2012"
 .SH NAME
 libpng \- Portable Network Graphics (PNG) Reference Library 1.6.0beta20
 (private functions)
diff --git a/png.5 b/png.5
index 82f16caa8..34f0e5908 100644
--- a/png.5
+++ b/png.5
@@ -1,4 +1,4 @@
-.TH PNG 5 "March 19, 2012"
+.TH PNG 5 "March 29, 2012"
 .SH NAME
 png \- Portable Network Graphics (PNG) format
 .SH DESCRIPTION
diff --git a/png.c b/png.c
index e44e9391a..e25280914 100644
--- a/png.c
+++ b/png.c
@@ -2025,8 +2025,8 @@ static const struct
       "1998/02/09 06:49:00", 3144, "sRGB Profile.icc")
 
    PNG_ICC_CHECKSUM(0x0398f3fcUL, 0xf29e526dUL,
-      PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 0,
-      "unknown", 3144, "HP-Microsoft sRGB v2 perceptual")
+      PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1,
+      "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 media-relative")
 };
 
 static int
diff --git a/png.h b/png.h
index ebf9827c7..2f933819e 100644
--- a/png.h
+++ b/png.h
@@ -1,7 +1,7 @@
 
 /* png.h - header file for PNG reference library
  *
- * libpng version 1.6.0beta20 - March 21, 2012
+ * libpng version 1.6.0beta20 - March 29, 2012
  * Copyright (c) 1998-2012 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -11,7 +11,7 @@
  * Authors and maintainers:
  *   libpng versions 0.71, May 1995, through 0.88, January 1996: Guy Schalnat
  *   libpng versions 0.89c, June 1996, through 0.96, May 1997: Andreas Dilger
- *   libpng versions 0.97, January 1998, through 1.6.0beta20 - March 21, 2012: Glenn
+ *   libpng versions 0.97, January 1998, through 1.6.0beta20 - March 29, 2012: Glenn
  *   See also "Contributing Authors", below.
  *
  * Note about libpng version numbers:
@@ -198,7 +198,7 @@
  *
  * This code is released under the libpng license.
  *
- * libpng versions 1.2.6, August 15, 2004, through 1.6.0beta20, March 21, 2012, are
+ * libpng versions 1.2.6, August 15, 2004, through 1.6.0beta20, March 29, 2012, are
  * Copyright (c) 2004, 2006-2012 Glenn Randers-Pehrson, and are
  * distributed according to the same disclaimer and license as libpng-1.2.5
  * with the following individual added to the list of Contributing Authors:
@@ -310,7 +310,7 @@
  * Y2K compliance in libpng:
  * =========================
  *
- *    March 21, 2012
+ *    March 29, 2012
  *
  *    Since the PNG Development group is an ad-hoc body, we can't make
  *    an official declaration.
@@ -376,7 +376,7 @@
 /* Version information for png.h - this should match the version in png.c */
 #define PNG_LIBPNG_VER_STRING "1.6.0beta20"
 #define PNG_HEADER_VERSION_STRING \
-     " libpng version 1.6.0beta20 - March 21, 2012\n"
+     " libpng version 1.6.0beta20 - March 29, 2012\n"
 
 #define PNG_LIBPNG_VER_SONUM   16
 #define PNG_LIBPNG_VER_DLLNUM  16
diff --git a/pngconf.h b/pngconf.h
index c97be31f4..05d546989 100644
--- a/pngconf.h
+++ b/pngconf.h
@@ -1,7 +1,7 @@
 
 /* pngconf.h - machine configurable file for libpng
  *
- * libpng version 1.6.0beta20 - March 21, 2012
+ * libpng version 1.6.0beta20 - March 29, 2012
  *
  * Copyright (c) 1998-2012 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
diff --git a/pngset.c b/pngset.c
index ead9817ad..fb950af21 100644
--- a/pngset.c
+++ b/pngset.c
@@ -722,24 +722,28 @@ png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr,
     */
    if (info_ptr->num_text + num_text > info_ptr->max_text)
    {
+      int old_max_text = info_ptr->max_text;
+      int old_num_text = info_ptr->num_text;
+
       if (info_ptr->text != NULL)
       {
          png_textp old_text;
-         int old_max;
 
-         old_max = info_ptr->max_text;
          info_ptr->max_text = info_ptr->num_text + num_text + 8;
          old_text = info_ptr->text;
+
          info_ptr->text = (png_textp)png_malloc_warn(png_ptr,
             (png_size_t)(info_ptr->max_text * png_sizeof(png_text)));
 
          if (info_ptr->text == NULL)
          {
-            png_free(png_ptr, old_text);
+            /* Restore to previous condition */
+            info_ptr->max_text = old_max_text;
+            info_ptr->text = old_text;
             return(1);
          }
 
-         png_memcpy(info_ptr->text, old_text, (png_size_t)(old_max *
+         png_memcpy(info_ptr->text, old_text, (png_size_t)(old_max_text *
              png_sizeof(png_text)));
          png_free(png_ptr, old_text);
       }
@@ -751,7 +755,12 @@ png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr,
          info_ptr->text = (png_textp)png_malloc_warn(png_ptr,
              (png_size_t)(info_ptr->max_text * png_sizeof(png_text)));
          if (info_ptr->text == NULL)
+         {
+            /* Restore to previous condition */
+            info_ptr->num_text = old_num_text;
+            info_ptr->max_text = old_max_text;
             return(1);
+         }
          info_ptr->free_me |= PNG_FREE_TEXT;
       }
 
diff --git a/projects/vstudio/readme.txt b/projects/vstudio/readme.txt
index 452fcb5e4..98d8607df 100644
--- a/projects/vstudio/readme.txt
+++ b/projects/vstudio/readme.txt
@@ -1,7 +1,7 @@
 
 VisualStudio instructions
 
-libpng version 1.6.0beta20 - March 19, 2012
+libpng version 1.6.0beta20 - March 29, 2012
 
 Copyright (c) 1998-2010 Glenn Randers-Pehrson
 
diff --git a/projects/vstudio/zlib.props b/projects/vstudio/zlib.props
index 7519cb907..89ab97b7d 100644
--- a/projects/vstudio/zlib.props
+++ b/projects/vstudio/zlib.props
@@ -2,7 +2,7 @@
 <!--
  * zlib.props - location of zlib source
  *
- * libpng version 1.6.0beta20 - March 19, 2012
+ * libpng version 1.6.0beta20 - March 29, 2012
  *
  * Copyright (c) 1998-2011 Glenn Randers-Pehrson
  *
diff --git a/scripts/README.txt b/scripts/README.txt
index 01c61e60f..4018a114c 100644
--- a/scripts/README.txt
+++ b/scripts/README.txt
@@ -1,5 +1,5 @@
 
-Makefiles for  libpng version 1.6.0beta20 - March 19, 2012
+Makefiles for  libpng version 1.6.0beta20 - March 29, 2012
 
 pnglibconf.h.prebuilt       =>  Stores configuration settings
  makefile.linux    =>  Linux/ELF makefile