diff -ru4N libpng-1.2.26/png.h libpng-1.2.27beta02/png.h --- libpng-1.2.26/png.h 2008-04-02 12:27:29.867681595 -0500 +++ libpng-1.2.27beta02/png.h 2008-04-13 20:53:39.028492214 -0500 @@ -180,8 +180,11 @@ * 1.0.31 10 10031 10.so.0.31[.0] * 1.2.25 13 10225 12.so.0.25[.0] * 1.2.26beta01-06 13 10226 12.so.0.26[.0] * 1.2.26rc01 13 10226 12.so.0.26[.0] + * 1.2.26 13 10226 12.so.0.26[.0] + * 1.0.32 10 10032 10.so.0.32[.0] + * 1.2.27beta01-02 13 10227 12.so.0.27[.0] * * Henceforth the source version will match the shared-library major * and minor numbers; the shared-library major version number will be * used for changes in backward compatibility, as it is intended. The @@ -189,9 +192,9 @@ * for applications, is an unsigned integer of the form xyyzz corresponding * to the source version x.y.z (leading zeros in y and z). Beta versions * were given the previous public release number plus a letter, until * version 1.0.6j; from then on they were given the upcoming public - * release number plus "betaNN" or "rcN". + * release number plus "betaNN" or "rcNN". * * Binary incompatibility exists only when applications make direct access * to the info_ptr or png_ptr members through png.h, and the compiled * application is loaded with a different version of the library. diff -ru4N libpng-1.2.26/pngpread.c libpng-1.2.27beta02/pngpread.c --- libpng-1.2.26/pngpread.c 2008-04-05 21:37:29.944173338 -0500 +++ libpng-1.2.27beta02/pngpread.c 2008-04-13 20:53:39.282050658 -0500 @@ -1,8 +1,8 @@ /* pngpread.c - read a png file in push mode * - * Last changed in libpng 1.2.26 [April 2, 2008] + * Last changed in libpng 1.2.27 [April 14, 2008] * For conditions of distribution and use, see copyright notice in png.h * Copyright (c) 1998-2008 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) @@ -1501,11 +1501,16 @@ (png_charp)png_ptr->chunk_name, png_sizeof(png_ptr->unknown_chunk.name)); png_ptr->unknown_chunk.name[png_sizeof(png_ptr->unknown_chunk.name)-1]='\0'; - png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length); png_ptr->unknown_chunk.size = (png_size_t)length; - png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length); + if (length == 0) + png_ptr->unknown_chunk.data = NULL; + else + { + png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length); + png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length); + } #if defined(PNG_READ_USER_CHUNKS_SUPPORTED) if(png_ptr->read_user_chunk_fn != NULL) { /* callback to user unknown chunk handler */ @@ -1526,10 +1531,13 @@ } else #endif png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1); - png_free(png_ptr, png_ptr->unknown_chunk.data); - png_ptr->unknown_chunk.data = NULL; + if (png_ptr->unknown_chunk.data) + { + png_free(png_ptr, png_ptr->unknown_chunk.data); + png_ptr->unknown_chunk.data = NULL; + } } else #endif skip=length; diff -ru4N libpng-1.2.26/pngrtran.c libpng-1.2.27beta02/pngrtran.c --- libpng-1.2.26/pngrtran.c 2008-04-02 12:27:30.477040372 -0500 +++ libpng-1.2.27beta02/pngrtran.c 2008-04-13 20:53:39.486343033 -0500 @@ -966,9 +966,9 @@ } /* Prevent the transformations being done again, and make sure * that the now spurious alpha channel is stripped - the code * has just reduced background composition and gamma correction - * to a simply alpha channel strip. + * to a simple alpha channel strip. */ png_ptr->transformations &= ~PNG_BACKGROUND; png_ptr->transformations &= ~PNG_GAMMA; png_ptr->transformations |= PNG_STRIP_ALPHA; diff -ru4N libpng-1.2.26/pngrutil.c libpng-1.2.27beta02/pngrutil.c --- libpng-1.2.26/pngrutil.c 2008-04-05 21:37:32.785260077 -0500 +++ libpng-1.2.27beta02/pngrutil.c 2008-04-13 20:53:39.579749447 -0500 @@ -1,8 +1,8 @@ /* pngrutil.c - utilities to read a PNG file * - * Last changed in libpng 1.2.26 [April 2, 2008] + * Last changed in libpng 1.2.27 [April 14, 2008] * For conditions of distribution and use, see copyright notice in png.h * Copyright (c) 1998-2008 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) @@ -1240,17 +1240,11 @@ void /* PRIVATE */ png_handle_tRNS(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { png_byte readbuf[PNG_MAX_PALETTE_LENGTH]; - int bit_mask; png_debug(1, "in png_handle_tRNS\n"); - /* For non-indexed color, mask off any bits in the tRNS value that - * exceed the bit depth. Some creators were writing extra bits there. - * This is not needed for indexed color. */ - bit_mask = (1 << png_ptr->bit_depth) - 1; - if (!(png_ptr->mode & PNG_HAVE_IHDR)) png_error(png_ptr, "Missing IHDR before tRNS"); else if (png_ptr->mode & PNG_HAVE_IDAT) { @@ -1277,9 +1271,9 @@ } png_crc_read(png_ptr, buf, 2); png_ptr->num_trans = 1; - png_ptr->trans_values.gray = png_get_uint_16(buf) & bit_mask; + png_ptr->trans_values.gray = png_get_uint_16(buf); } else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB) { png_byte buf[6]; @@ -1291,11 +1285,11 @@ return; } png_crc_read(png_ptr, buf, (png_size_t)length); png_ptr->num_trans = 1; - png_ptr->trans_values.red = png_get_uint_16(buf) & bit_mask; - png_ptr->trans_values.green = png_get_uint_16(buf + 2) & bit_mask; - png_ptr->trans_values.blue = png_get_uint_16(buf + 4) & bit_mask; + png_ptr->trans_values.red = png_get_uint_16(buf); + png_ptr->trans_values.green = png_get_uint_16(buf + 2); + png_ptr->trans_values.blue = png_get_uint_16(buf + 4); } else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) { if (!(png_ptr->mode & PNG_HAVE_PLTE)) @@ -2226,11 +2220,16 @@ png_memcpy((png_charp)png_ptr->unknown_chunk.name, (png_charp)png_ptr->chunk_name, png_sizeof(png_ptr->unknown_chunk.name)); png_ptr->unknown_chunk.name[png_sizeof(png_ptr->unknown_chunk.name)-1] = '\0'; - png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length); png_ptr->unknown_chunk.size = (png_size_t)length; - png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length); + if (length == 0) + png_ptr->unknown_chunk.data = NULL; + else + { + png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length); + png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length); + } #if defined(PNG_READ_USER_CHUNKS_SUPPORTED) if(png_ptr->read_user_chunk_fn != NULL) { /* callback to user unknown chunk handler */ @@ -2251,10 +2250,13 @@ } else #endif png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1); - png_free(png_ptr, png_ptr->unknown_chunk.data); - png_ptr->unknown_chunk.data = NULL; + if (png_ptr->unknown_chunk.data) + { + png_free(png_ptr, png_ptr->unknown_chunk.data); + png_ptr->unknown_chunk.data = NULL; + } } else #endif skip = length; diff -ru4N libpng-1.2.26/pngset.c libpng-1.2.27beta02/pngset.c --- libpng-1.2.26/pngset.c 2008-04-02 12:27:30.621225067 -0500 +++ libpng-1.2.27beta02/pngset.c 2008-04-13 20:53:39.624526243 -0500 @@ -1,8 +1,8 @@ /* pngset.c - storage of image information into info struct * - * Last changed in libpng 1.2.25 [February 18, 2008] + * Last changed in libpng 1.2.27 [April 14, 2008] * For conditions of distribution and use, see copyright notice in png.h * Copyright (c) 1998-2008 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) @@ -937,8 +937,19 @@ } if (trans_values != NULL) { + int sample_max = (1 << info_ptr->bit_depth); + if ((info_ptr->color_type == PNG_COLOR_TYPE_GRAY && + (int)trans_values->gray > sample_max) || + (info_ptr->color_type == PNG_COLOR_TYPE_RGB && + ((int)trans_values->red > sample_max || + (int)trans_values->green > sample_max || + (int)trans_values->blue > sample_max))) + { + png_warning(png_ptr, + "tRNS chunk has out-of-range samples for bit_depth"); + } png_memcpy(&(info_ptr->trans_values), trans_values, png_sizeof(png_color_16)); if (num_trans == 0) num_trans = 1; @@ -1039,30 +1050,33 @@ info_ptr->unknown_chunks=NULL; for (i = 0; i < num_unknowns; i++) { - png_unknown_chunkp to = np + info_ptr->unknown_chunks_num + i; - png_unknown_chunkp from = unknowns + i; + png_unknown_chunkp to = np + info_ptr->unknown_chunks_num + i; + png_unknown_chunkp from = unknowns + i; - png_memcpy((png_charp)to->name, - (png_charp)from->name, - png_sizeof(from->name)); - to->name[png_sizeof(to->name)-1] = '\0'; + png_memcpy((png_charp)to->name, + (png_charp)from->name, + png_sizeof(from->name)); + to->name[png_sizeof(to->name)-1] = '\0'; + to->size = from->size; + /* note our location in the read or write sequence */ + to->location = (png_byte)(png_ptr->mode & 0xff); - to->data = (png_bytep)png_malloc_warn(png_ptr, from->size); - if (to->data == NULL) - { - png_warning(png_ptr, + if (from->size == 0) + to->data=NULL; + else + { + to->data = (png_bytep)png_malloc_warn(png_ptr, from->size); + if (to->data == NULL) + { + png_warning(png_ptr, "Out of memory while processing unknown chunk."); - } - else - { - png_memcpy(to->data, from->data, from->size); - to->size = from->size; - - /* note our location in the read or write sequence */ - to->location = (png_byte)(png_ptr->mode & 0xff); - } + to->size=0; + } + else + png_memcpy(to->data, from->data, from->size); + } } info_ptr->unknown_chunks = np; info_ptr->unknown_chunks_num += num_unknowns; diff -ru4N libpng-1.2.26/pngwrite.c libpng-1.2.27beta02/pngwrite.c --- libpng-1.2.26/pngwrite.c 2008-04-02 12:27:30.775542734 -0500 +++ libpng-1.2.27beta02/pngwrite.c 2008-04-13 20:53:39.786032793 -0500 @@ -1,8 +1,8 @@ /* pngwrite.c - general routines to write a PNG file * - * Last changed in libpng 1.2.25 [February 18, 2008] + * Last changed in libpng 1.2.27 [April 14, 2008] * For conditions of distribution and use, see copyright notice in png.h * Copyright (c) 1998-2008 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) @@ -111,8 +111,10 @@ !(up->location & PNG_HAVE_IDAT) && ((up->name[3] & 0x20) || keep == PNG_HANDLE_CHUNK_ALWAYS || (png_ptr->flags & PNG_FLAG_KEEP_UNSAFE_CHUNKS))) { + if (up->size == 0) + png_warning(png_ptr, "Writing zero-length unknown chunk"); png_write_chunk(png_ptr, up->name, up->data, up->size); } } }