diff options
Diffstat (limited to 'pngrutil.c')
| -rw-r--r-- | pngrutil.c | 48 |
1 files changed, 23 insertions, 25 deletions
diff --git a/pngrutil.c b/pngrutil.c index 062f287ed..98e952406 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -1,8 +1,8 @@ /* pngrutil.c - utilities to read a PNG file * - * Last changed in libpng 1.6.8 [December 19, 2013] - * Copyright (c) 1998-2013 Glenn Randers-Pehrson + * Last changed in libpng 1.6.10 [March 6, 2014] + * Copyright (c) 1998-2014 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -227,10 +227,7 @@ png_crc_finish(png_structrp png_ptr, png_uint_32 skip) } else - { - png_chunk_benign_error(png_ptr, "CRC error"); - return (0); - } + png_chunk_error(png_ptr, "CRC error"); return (1); } @@ -314,16 +311,11 @@ png_read_buffer(png_structrp png_ptr, png_alloc_size_t new_size, int warn) else if (warn < 2) /* else silent */ { -#ifdef PNG_WARNINGS_SUPPORTED if (warn) png_chunk_warning(png_ptr, "insufficient memory to read chunk"); + else -#endif - { -#ifdef PNG_ERROR_TEXT_SUPPORTED png_chunk_error(png_ptr, "insufficient memory to read chunk"); -#endif - } } } @@ -986,22 +978,15 @@ png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) if (!(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_USE)) { if (png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) - { - png_chunk_benign_error(png_ptr, "CRC error"); - } + return; else - { - png_chunk_warning(png_ptr, "CRC error"); - return; - } + png_chunk_error(png_ptr, "CRC error"); } /* Otherwise, we (optionally) emit a warning and use the chunk. */ else if (!(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN)) - { png_chunk_warning(png_ptr, "CRC error"); - } } #endif @@ -1112,13 +1097,12 @@ png_handle_gAMA(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) void /* PRIVATE */ png_handle_sBIT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) { - unsigned int truelen; + unsigned int truelen, i; + png_byte sample_depth; png_byte buf[4]; png_debug(1, "in png_handle_sBIT"); - buf[0] = buf[1] = buf[2] = buf[3] = 0; - if (!(png_ptr->mode & PNG_HAVE_IHDR)) png_chunk_error(png_ptr, "missing IHDR"); @@ -1137,10 +1121,16 @@ png_handle_sBIT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) } if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) + { truelen = 3; + sample_depth = 8; + } else + { truelen = png_ptr->channels; + sample_depth = png_ptr->bit_depth; + } if (length != truelen || length > 4) { @@ -1149,11 +1139,19 @@ png_handle_sBIT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) return; } + buf[0] = buf[1] = buf[2] = buf[3] = sample_depth; png_crc_read(png_ptr, buf, truelen); if (png_crc_finish(png_ptr, 0)) return; + for (i=0; i<truelen; ++i) + if (buf[i] == 0 || buf[i] > sample_depth) + { + png_chunk_benign_error(png_ptr, "invalid"); + return; + } + if (png_ptr->color_type & PNG_COLOR_MASK_COLOR) { png_ptr->sig_bit.red = buf[0]; @@ -1423,7 +1421,7 @@ png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) (sizeof local_buffer), &length, profile + (sizeof profile_header), &size, 0); - /* Still expect a a buffer error because we expect + /* Still expect a buffer error because we expect * there to be some tag data! */ if (size == 0) |