diff -ru4NwbB libpng-1.2.40/png.c libpng-1.2.41beta02/png.c --- libpng-1.2.40/png.c 2009-09-10 06:38:50.146570290 -0500 +++ libpng-1.2.41beta02/png.c 2009-09-30 14:43:43.666052660 -0500 @@ -1,8 +1,8 @@ /* png.c - location for general purpose libpng functions * - * Last changed in libpng 1.2.39 [August 13, 2009] + * Last changed in libpng 1.2.41 [September 30, 2009] * Copyright (c) 1998-2009 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -922,5 +922,157 @@ return ret; } #endif /* NO_PNG_CHECK_cHRM */ #endif /* PNG_cHRM_SUPPORTED */ + + +void /* PRIVATE */ +png_check_IHDR(png_structp png_ptr, + png_uint_32 width, png_uint_32 height, int bit_depth, + int color_type, int interlace_type, int compression_type, + int filter_type) +{ + int error = 0; + + /* Check for width and height valid values */ + if (width == 0) + { + png_warning(png_ptr, "Image width is zero in IHDR"); + error = 1; + } + + if (height == 0) + { + png_warning(png_ptr, "Image height is zero in IHDR"); + error = 1; + } + +#ifdef PNG_SET_USER_LIMITS_SUPPORTED + if (width > png_ptr->user_width_max || width > PNG_USER_WIDTH_MAX) +#else + if (width > PNG_USER_WIDTH_MAX) +#endif + { + png_warning(png_ptr, "Image width exceeds user limit in IHDR"); + if ((width >> 16) == height) + { + /* This is likely to be caused by passing consecutive addresses + * of 16-bit width and height variables to png_get_IHDR(), which + * overflowed when we tried to fill them with 31-bit data. + */ + png_warning(png_ptr, "High bytes of width == low bytes of height"); + } + error = 1; + } + +#ifdef PNG_SET_USER_LIMITS_SUPPORTED + if (height > png_ptr->user_height_max || height > PNG_USER_HEIGHT_MAX) +#else + if (height > PNG_USER_HEIGHT_MAX) +#endif + { + png_warning(png_ptr, "Image height exceeds user limit in IHDR"); + error = 1; + } + + if (width > PNG_UINT_31_MAX) + { + png_warning(png_ptr, "Invalid image width in IHDR"); + error = 1; + } + + if ( height > PNG_UINT_31_MAX) + { + png_warning(png_ptr, "Invalid image height in IHDR"); + error = 1; + } + + if ( width > (PNG_UINT_32_MAX + >> 3) /* 8-byte RGBA pixels */ + - 64 /* bigrowbuf hack */ + - 1 /* filter byte */ + - 7*8 /* rounding of width to multiple of 8 pixels */ + - 8) /* extra max_pixel_depth pad */ + png_warning(png_ptr, "Width is too large for libpng to process pixels"); + + /* Check other values */ + if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 && + bit_depth != 8 && bit_depth != 16) + { + png_warning(png_ptr, "Invalid bit depth in IHDR"); + error = 1; + } + + if (color_type < 0 || color_type == 1 || + color_type == 5 || color_type > 6) + { + png_warning(png_ptr, "Invalid color type in IHDR"); + error = 1; + } + + if (((color_type == PNG_COLOR_TYPE_PALETTE) && bit_depth > 8) || + ((color_type == PNG_COLOR_TYPE_RGB || + color_type == PNG_COLOR_TYPE_GRAY_ALPHA || + color_type == PNG_COLOR_TYPE_RGB_ALPHA) && bit_depth < 8)) + { + png_warning(png_ptr, "Invalid color type/bit depth combination in IHDR"); + error = 1; + } + + if (interlace_type >= PNG_INTERLACE_LAST) + { + png_warning(png_ptr, "Unknown interlace method in IHDR"); + error = 1; + } + + if (compression_type != PNG_COMPRESSION_TYPE_BASE) + { + png_warning(png_ptr, "Unknown compression method in IHDR"); + error = 1; + } + +#ifdef PNG_MNG_FEATURES_SUPPORTED + /* Accept filter_method 64 (intrapixel differencing) only if + * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and + * 2. Libpng did not read a PNG signature (this filter_method is only + * used in PNG datastreams that are embedded in MNG datastreams) and + * 3. The application called png_permit_mng_features with a mask that + * included PNG_FLAG_MNG_FILTER_64 and + * 4. The filter_method is 64 and + * 5. The color_type is RGB or RGBA + */ + if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) && + png_ptr->mng_features_permitted) + png_warning(png_ptr, "MNG features are not allowed in a PNG datastream"); + + if (filter_type != PNG_FILTER_TYPE_BASE) + { + if (!((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) && + (filter_type == PNG_INTRAPIXEL_DIFFERENCING) && + ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) == 0) && + (color_type == PNG_COLOR_TYPE_RGB || + color_type == PNG_COLOR_TYPE_RGB_ALPHA))) + { + png_warning(png_ptr, "Unknown filter method in IHDR"); + error = 1; + } + + if (png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) + { + png_warning(png_ptr, "Invalid filter method in IHDR"); + error = 1; + } + } + +#else + if (filter_type != PNG_FILTER_TYPE_BASE) + { + png_warning(png_ptr, "Unknown filter method in IHDR"); + error = 1; + } +#endif + + if (error == 1) + png_error(png_ptr, "Invalid IHDR data"); +} + #endif /* defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED) */ diff -ru4NwbB libpng-1.2.40/png.h libpng-1.2.41beta02/png.h --- libpng-1.2.40/png.h 2009-09-10 06:38:50.123684056 -0500 +++ libpng-1.2.41beta02/png.h 2009-09-30 14:43:43.641947077 -0500 @@ -244,8 +244,9 @@ * 1.2.40beta01 13 10240 12.so.0.40[.0] * 1.2.40rc01 13 10240 12.so.0.40[.0] * 1.0.49 10 10049 10.so.0.49[.0] * 1.2.40 13 10240 12.so.0.40[.0] + * 1.2.41alpha01 13 10241 12.so.0.41[.0] * * Henceforth the source version will match the shared-library major * and minor numbers; the shared-library major version number will be * used for changes in backward compatibility, as it is intended. The @@ -3707,13 +3708,19 @@ #if defined(PNG_cHRM_SUPPORTED) #if !defined(PNG_NO_CHECK_cHRM) /* Added at libpng version 1.2.34 */ -PNG_EXTERN void png_64bit_product (long v1, long v2, unsigned long *hi_product, - unsigned long *lo_product); +PNG_EXTERN void png_64bit_product PNGARG((long v1, long v2, + unsigned long *hi_product, unsigned long *lo_product)); #endif #endif +/* Added at libpng version 1.2.41 */ +PNG_EXTERN void png_check_IHDR PNGARG((png_structp png_ptr, + png_uint_32 width, png_uint_32 height, int bit_depth, + int color_type, int interlace_type, int compression_type, + int filter_type)); + /* Maintainer: Put new private prototypes here ^ and in libpngpf.3 */ #endif /* PNG_INTERNAL */ diff -ru4NwbB libpng-1.2.40/pngconf.h libpng-1.2.41beta02/pngconf.h --- libpng-1.2.40/pngconf.h 2009-09-10 06:38:50.132156034 -0500 +++ libpng-1.2.41beta02/pngconf.h 2009-09-30 14:43:43.650894647 -0500 @@ -786,18 +786,19 @@ #endif /* end of obsolete code to be removed from libpng-1.4.0 */ +/* Added at libpng-1.2.0 */ #if !defined(PNG_1_0_X) #if !defined(PNG_NO_USER_MEM) && !defined(PNG_USER_MEM_SUPPORTED) # define PNG_USER_MEM_SUPPORTED #endif #endif /* PNG_1_0_X */ /* Added at libpng-1.2.6 */ -#if !defined(PNG_1_0_X) +#ifndef PNG_1_0_X #ifndef PNG_SET_USER_LIMITS_SUPPORTED -#if !defined(PNG_NO_SET_USER_LIMITS) && !defined(PNG_SET_USER_LIMITS_SUPPORTED) +# ifndef PNG_NO_SET_USER_LIMITS # define PNG_SET_USER_LIMITS_SUPPORTED #endif #endif #endif /* PNG_1_0_X */ diff -ru4NwbB libpng-1.2.40/pngget.c libpng-1.2.41beta02/pngget.c --- libpng-1.2.40/pngget.c 2009-09-10 06:38:50.163801426 -0500 +++ libpng-1.2.41beta02/pngget.c 2009-09-30 14:43:43.683617597 -0500 @@ -1,8 +1,8 @@ /* pngget.c - retrieval of values from info struct * - * Last changed in libpng 1.2.37 [June 4, 2009] + * Last changed in libpng 1.2.41 [September 30, 2009] * Copyright (c) 1998-2009 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -565,56 +565,47 @@ png_get_IHDR(png_structp png_ptr, png_infop info_ptr, png_uint_32 *width, png_uint_32 *height, int *bit_depth, int *color_type, int *interlace_type, int *compression_type, int *filter_type) - -{ - if (png_ptr != NULL && info_ptr != NULL && width != NULL && height != NULL && - bit_depth != NULL && color_type != NULL) { + int test_interlace_type = 0; + int test_compression_type = 0; + int test_filter_type = 0; + png_debug1(1, "in %s retrieval function", "IHDR"); + + if (png_ptr == NULL || info_ptr == NULL || width == NULL || + height == NULL || bit_depth == NULL || color_type == NULL) + return (0); + *width = info_ptr->width; *height = info_ptr->height; *bit_depth = info_ptr->bit_depth; - if (info_ptr->bit_depth < 1 || info_ptr->bit_depth > 16) - png_error(png_ptr, "Invalid bit depth"); - *color_type = info_ptr->color_type; - if (info_ptr->color_type > 6) - png_error(png_ptr, "Invalid color type"); - if (compression_type != NULL) + { *compression_type = info_ptr->compression_type; + test_compression_type = *compression_type; + } if (filter_type != NULL) + { *filter_type = info_ptr->filter_type; + test_filter_type = *filter_type; + } if (interlace_type != NULL) - *interlace_type = info_ptr->interlace_type; - - /* Check for potential overflow of rowbytes */ - if (*width == 0 || *width > PNG_UINT_31_MAX) - png_error(png_ptr, "Invalid image width"); - - if (*height == 0 || *height > PNG_UINT_31_MAX) - png_error(png_ptr, "Invalid image height"); - - if (info_ptr->width > (PNG_UINT_32_MAX - >> 3) /* 8-byte RGBA pixels */ - - 64 /* bigrowbuf hack */ - - 1 /* filter byte */ - - 7*8 /* rounding of width to multiple of 8 pixels */ - - 8) /* extra max_pixel_depth pad */ { - png_warning(png_ptr, - "Width too large for libpng to process image data."); + *interlace_type = info_ptr->interlace_type; + test_interlace_type = *interlace_type; } + png_check_IHDR (png_ptr, *width, *height, *bit_depth, *color_type, + test_interlace_type, test_compression_type, test_filter_type); + return (1); } - return (0); -} #if defined(PNG_oFFs_SUPPORTED) png_uint_32 PNGAPI png_get_oFFs(png_structp png_ptr, png_infop info_ptr, diff -ru4NwbB libpng-1.2.40/pngset.c libpng-1.2.41beta02/pngset.c --- libpng-1.2.40/pngset.c 2009-09-10 06:38:50.226299947 -0500 +++ libpng-1.2.41beta02/pngset.c 2009-09-30 14:43:43.749683191 -0500 @@ -1,8 +1,8 @@ /* pngset.c - storage of image information into info struct * - * Last changed in libpng 1.2.40 [September 30, 2009] + * Last changed in libpng 1.2.41 [September 30, 2009] * Copyright (c) 1998-2009 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -232,76 +232,10 @@ if (png_ptr == NULL || info_ptr == NULL) return; - /* Check for width and height valid values */ - if (width == 0 || height == 0) - png_error(png_ptr, "Image width or height is zero in IHDR"); -#ifdef PNG_SET_USER_LIMITS_SUPPORTED - if (width > png_ptr->user_width_max || height > png_ptr->user_height_max) - png_error(png_ptr, "image size exceeds user limits in IHDR"); -#else - if (width > PNG_USER_WIDTH_MAX || height > PNG_USER_HEIGHT_MAX) - png_error(png_ptr, "image size exceeds user limits in IHDR"); -#endif - if (width > PNG_UINT_31_MAX || height > PNG_UINT_31_MAX) - png_error(png_ptr, "Invalid image size in IHDR"); - if ( width > (PNG_UINT_32_MAX - >> 3) /* 8-byte RGBA pixels */ - - 64 /* bigrowbuf hack */ - - 1 /* filter byte */ - - 7*8 /* rounding of width to multiple of 8 pixels */ - - 8) /* extra max_pixel_depth pad */ - png_warning(png_ptr, "Width is too large for libpng to process pixels"); - - /* Check other values */ - if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 && - bit_depth != 8 && bit_depth != 16) - png_error(png_ptr, "Invalid bit depth in IHDR"); - - if (color_type < 0 || color_type == 1 || - color_type == 5 || color_type > 6) - png_error(png_ptr, "Invalid color type in IHDR"); - - if (((color_type == PNG_COLOR_TYPE_PALETTE) && bit_depth > 8) || - ((color_type == PNG_COLOR_TYPE_RGB || - color_type == PNG_COLOR_TYPE_GRAY_ALPHA || - color_type == PNG_COLOR_TYPE_RGB_ALPHA) && bit_depth < 8)) - png_error(png_ptr, "Invalid color type/bit depth combination in IHDR"); - - if (interlace_type >= PNG_INTERLACE_LAST) - png_error(png_ptr, "Unknown interlace method in IHDR"); - - if (compression_type != PNG_COMPRESSION_TYPE_BASE) - png_error(png_ptr, "Unknown compression method in IHDR"); - -#if defined(PNG_MNG_FEATURES_SUPPORTED) - /* Accept filter_method 64 (intrapixel differencing) only if - * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and - * 2. Libpng did not read a PNG signature (this filter_method is only - * used in PNG datastreams that are embedded in MNG datastreams) and - * 3. The application called png_permit_mng_features with a mask that - * included PNG_FLAG_MNG_FILTER_64 and - * 4. The filter_method is 64 and - * 5. The color_type is RGB or RGBA - */ - if ((png_ptr->mode&PNG_HAVE_PNG_SIGNATURE)&&png_ptr->mng_features_permitted) - png_warning(png_ptr, "MNG features are not allowed in a PNG datastream"); - if (filter_type != PNG_FILTER_TYPE_BASE) - { - if (!((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) && - (filter_type == PNG_INTRAPIXEL_DIFFERENCING) && - ((png_ptr->mode&PNG_HAVE_PNG_SIGNATURE) == 0) && - (color_type == PNG_COLOR_TYPE_RGB || - color_type == PNG_COLOR_TYPE_RGB_ALPHA))) - png_error(png_ptr, "Unknown filter method in IHDR"); - if (png_ptr->mode&PNG_HAVE_PNG_SIGNATURE) - png_warning(png_ptr, "Invalid filter method in IHDR"); - } -#else - if (filter_type != PNG_FILTER_TYPE_BASE) - png_error(png_ptr, "Unknown filter method in IHDR"); -#endif + png_check_IHDR (png_ptr, width, height, bit_depth, color_type, + interlace_type, compression_type, filter_type); info_ptr->width = width; info_ptr->height = height; info_ptr->bit_depth = (png_byte)bit_depth; @@ -640,14 +574,8 @@ blue_x = (float).15; blue_y = (float).06; #endif -#if !defined(PNG_NO_CHECK_cHRM) - if (png_check_cHRM_fixed(png_ptr, - int_white_x, int_white_y, int_red_x, int_red_y, int_green_x, - int_green_y, int_blue_x, int_blue_y)) -#endif - { #ifdef PNG_FIXED_POINT_SUPPORTED png_set_cHRM_fixed(png_ptr, info_ptr, int_white_x, int_white_y, int_red_x, int_red_y, int_green_x, int_green_y, int_blue_x, int_blue_y); @@ -655,9 +583,8 @@ #ifdef PNG_FLOATING_POINT_SUPPORTED png_set_cHRM(png_ptr, info_ptr, white_x, white_y, red_x, red_y, green_x, green_y, blue_x, blue_y); #endif - } #endif /* cHRM */ } #endif /* sRGB */