summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ANNOUNCE8
-rw-r--r--CHANGES7
-rw-r--r--pngread.c21
-rw-r--r--pngrtran.c28
4 files changed, 41 insertions, 23 deletions
diff --git a/ANNOUNCE b/ANNOUNCE
index 37ff2f941..cbd22b4ce 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -212,7 +212,13 @@ Version 1.6.0beta11 [February 16, 2012]
Apps are responsible for checking to see if that happened.
Version 1.6.0beta12 [February 17, 2012]
- Increase num_palette to invalid_index + 1, not to invalid_index.
+ Do not increase num_palette on invalid_index.
+ Relocated check for invalid palette index to pngrtran.c, after unpacking
+ the sub-8-bit pixels.
+ Fixed CVE-2011-3026 buffer overrun bug. Deal more correctly with the test
+ on iCCP chunk length. Also removed spurious casts that may hide problems
+ on 16-bit systems.
+
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
diff --git a/CHANGES b/CHANGES
index 8429c2fc6..eaeea5a9b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3963,7 +3963,12 @@ Version 1.6.0beta11 [February 16, 2012]
Apps are responsible for checking to see if that happened.
Version 1.6.0beta12 [February 17, 2012]
- Increase num_palette to invalid_index + 1, not to invalid_index.
+ Do not increase num_palette on invalid_index.
+ Relocated check for invalid palette index to pngrtran.c, after unpacking
+ the sub-8-bit pixels.
+ Fixed CVE-2011-3026 buffer overrun bug. Deal more correctly with the test
+ on iCCP chunk length. Also removed spurious casts that may hide problems
+ on 16-bit systems.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
diff --git a/pngread.c b/pngread.c
index 968a3920c..6db31efd1 100644
--- a/pngread.c
+++ b/pngread.c
@@ -523,27 +523,6 @@ png_read_row(png_structrp png_ptr, png_bytep row, png_bytep dsp_row)
png_error(png_ptr, "bad adaptive filter value");
}
- if ((png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) &&
- (png_ptr->num_palette < (1 << png_ptr->bit_depth)))
- {
- if ((png_ptr->interlaced && png_ptr->pass == 6) ||
- (!png_ptr->interlaced && png_ptr->pass == 0))
- {
- png_uint_32 i;
- png_bytep rp = png_ptr->row_buf+1;
-
- for (i = 0; i <= row_info.rowbytes; i++)
- {
- if (*rp >= png_ptr->num_palette)
- {
- png_warning(png_ptr,"Found invalid palette index");
- png_ptr->num_palette=*rp + 1;
- }
- rp++;
- }
- }
- }
-
/* libpng 1.5.6: the following line was copying png_ptr->rowbytes before
* 1.5.6, while the buffer really is this big in current versions of libpng
* it may not be in the future, so this was changed just to copy the
diff --git a/pngrtran.c b/pngrtran.c
index 19939477f..8d7ec8821 100644
--- a/pngrtran.c
+++ b/pngrtran.c
@@ -2294,6 +2294,34 @@ png_do_read_transformations(png_structrp png_ptr, png_row_infop row_info)
png_do_unpack(row_info, png_ptr->row_buf + 1);
#endif
+/* Added at libpng-1.6.0 */
+#ifdef PNG_CHECK_FOR_INVALID_INDEX_SUPPORTED
+ /* To do: Fix does not check sub-8-bit rows that have not been unpacked. */
+ if (row_info->color_type == PNG_COLOR_TYPE_PALETTE &&
+ row_info->bit_depth == 8)
+ if (png_ptr->num_palette < (1 << png_ptr->bit_depth))
+ {
+ if ((png_ptr->interlaced && png_ptr->pass == 6) ||
+ (!png_ptr->interlaced && png_ptr->pass == 0))
+ {
+ png_uint_32 i;
+ png_bytep rp = png_ptr->row_buf+1; /* +1 to skip the filter byte */
+
+ for (i = 0; i <= row_info->rowbytes; i++)
+ {
+ if (*rp >= png_ptr->num_palette)
+ {
+ /* Should this be a benign error instead of a warning? */
+ png_warning(png_ptr,"Found invalid palette index");
+ break;
+ }
+
+ rp++;
+ }
+ }
+ }
+#endif
+
#ifdef PNG_READ_BGR_SUPPORTED
if (png_ptr->transformations & PNG_BGR)
png_do_bgr(row_info, png_ptr->row_buf + 1);
View Lorry Controller Status