diff -ru4NwbB libpng-1.2.42/png.c libpng-1.2.43beta02/png.c --- libpng-1.2.42/png.c 2010-01-02 23:04:19.598757954 -0600 +++ libpng-1.2.43beta02/png.c 2010-02-01 09:25:12.815067667 -0600 @@ -1,8 +1,8 @@ /* png.c - location for general purpose libpng functions * - * Last changed in libpng 1.2.42 [February 1, 2010] + * Last changed in libpng 1.2.42 [January 3, 2010] * Copyright (c) 1998-2010 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * diff -ru4NwbB libpng-1.2.42/png.h libpng-1.2.43beta02/png.h --- libpng-1.2.42/png.h 2010-01-02 23:04:19.574120328 -0600 +++ libpng-1.2.43beta02/png.h 2010-02-01 09:25:12.790638320 -0600 @@ -253,8 +253,9 @@ * 1.2.42beta01-02 13 10242 12.so.0.42[.0] * 1.2.42rc01-05 13 10242 12.so.0.42[.0] * 1.0.52 10 10052 10.so.0.52[.0] * 1.2.42 13 10242 12.so.0.42[.0] + * 1.2.43beta01 13 10243 12.so.0.43[.0] * * Henceforth the source version will match the shared-library major * and minor numbers; the shared-library major version number will be * used for changes in backward compatibility, as it is intended. The diff -ru4NwbB libpng-1.2.42/pngconf.h libpng-1.2.43beta02/pngconf.h --- libpng-1.2.42/pngconf.h 2010-01-02 23:04:19.583584354 -0600 +++ libpng-1.2.43beta02/pngconf.h 2010-02-01 09:25:12.799971799 -0600 @@ -621,24 +621,20 @@ # endif # ifndef PNG_NO_READ_BACKGROUND # define PNG_READ_BACKGROUND_SUPPORTED # endif -#ifndef PNG_1_0_X # ifndef PNG_NO_READ_16_TO_8 # define PNG_READ_16_TO_8_SUPPORTED # endif -#endif # ifndef PNG_NO_READ_FILLER # define PNG_READ_FILLER_SUPPORTED # endif # ifndef PNG_NO_READ_GAMMA # define PNG_READ_GAMMA_SUPPORTED # endif -#ifndef PNG_1_0_X # ifndef PNG_NO_READ_GRAY_TO_RGB # define PNG_READ_GRAY_TO_RGB_SUPPORTED # endif -#endif # ifndef PNG_NO_READ_SWAP_ALPHA # define PNG_READ_SWAP_ALPHA_SUPPORTED # endif # ifndef PNG_NO_READ_INVERT_ALPHA diff -ru4NwbB libpng-1.2.42/pngpread.c libpng-1.2.43beta02/pngpread.c --- libpng-1.2.42/pngpread.c 2010-01-02 23:04:19.630442557 -0600 +++ libpng-1.2.43beta02/pngpread.c 2010-02-01 09:25:12.847181678 -0600 @@ -1,8 +1,8 @@ /* pngpread.c - read a png file in push mode * - * Last changed in libpng 1.2.42 [February 1, 2010] + * Last changed in libpng 1.2.42 [January 3, 2010] * Copyright (c) 1998-2009 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * diff -ru4NwbB libpng-1.2.42/pngrtran.c libpng-1.2.43beta02/pngrtran.c --- libpng-1.2.42/pngrtran.c 2010-01-02 23:04:19.660071212 -0600 +++ libpng-1.2.43beta02/pngrtran.c 2010-02-01 09:25:12.876855504 -0600 @@ -1,8 +1,8 @@ /* pngrtran.c - transforms the data in a row for PNG readers * - * Last changed in libpng 1.2.42 [February 1, 2010] + * Last changed in libpng 1.2.42 [January 3, 2010] * Copyright (c) 1998-2010 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * diff -ru4NwbB libpng-1.2.42/pngrutil.c libpng-1.2.43beta02/pngrutil.c --- libpng-1.2.42/pngrutil.c 2010-01-02 23:04:19.673407448 -0600 +++ libpng-1.2.43beta02/pngrutil.c 2010-02-01 09:25:12.890484452 -0600 @@ -1,8 +1,8 @@ /* pngrutil.c - utilities to read a PNG file * - * Last changed in libpng 1.2.41 [December 3, 2009] + * Last changed in libpng 1.2.43 [February 1, 2010] * Copyright (c) 1998-2009 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -216,8 +216,70 @@ } #if defined(PNG_READ_zTXt_SUPPORTED) || defined(PNG_READ_iTXt_SUPPORTED) || \ defined(PNG_READ_iCCP_SUPPORTED) +png_size_t +png_measure_decompressed_chunk(png_structp png_ptr, int comp_type, + png_size_t chunklength, png_size_t prefix_size) +{ + png_charp text; + png_charp test = "X"; + png_size_t text_size = 0; + + if (comp_type == PNG_COMPRESSION_TYPE_BASE) + { + int ret = Z_OK; + + png_ptr->zstream.next_in = (png_bytep)(png_ptr->chunkdata + prefix_size); + png_ptr->zstream.avail_in = (uInt)(chunklength - prefix_size); + png_ptr->zstream.next_out = png_ptr->zbuf; + png_ptr->zstream.avail_out = (uInt)png_ptr->zbuf_size; + + text = NULL; + + while (png_ptr->zstream.avail_in) + { + ret = inflate(&png_ptr->zstream, Z_PARTIAL_FLUSH); + if (ret != Z_OK && ret != Z_STREAM_END) + { + inflateReset(&png_ptr->zstream); + png_ptr->zstream.avail_in = 0; + break; + } + if (!png_ptr->zstream.avail_out || ret == Z_STREAM_END) + { + if (text == NULL) /* Initialize the decompression buffer */ + { + text_size = prefix_size + + png_ptr->zbuf_size - png_ptr->zstream.avail_out; + + text=test; + } + else /* Enlarge the decompression buffer */ + { + text_size += png_ptr->zbuf_size - png_ptr->zstream.avail_out; +#ifdef PNG_CHUNK_MALLOC_LIMIT_SUPPORTED + if (text_size >= png_ptr->user_chunk_malloc_max - 1) + return 0; +#endif + } + } + if (ret == Z_STREAM_END) + break; + + else + { + png_ptr->zstream.next_out = png_ptr->zbuf; + png_ptr->zstream.avail_out = (uInt)png_ptr->zbuf_size; + } + } + + inflateReset(&png_ptr->zstream); + png_ptr->zstream.avail_in = 0; + } + return text_size; +} + /* * Decompress trailing data in a chunk. The assumption is that chunkdata * points at an allocated area holding the contents of a chunk with a * trailing compressed part. What we get back is an allocated area @@ -231,19 +293,31 @@ { static PNG_CONST char msg[] = "Error decoding compressed chunk"; png_charp text; png_size_t text_size; + png_size_t expanded_size; + + expanded_size= png_measure_decompressed_chunk(png_ptr, comp_type, + chunklength, prefix_size); + if (expanded_size == 0) + { + *newlength=0; + return; + } if (comp_type == PNG_COMPRESSION_TYPE_BASE) { int ret = Z_OK; + png_size_t buffer_size; + png_ptr->zstream.next_in = (png_bytep)(png_ptr->chunkdata + prefix_size); png_ptr->zstream.avail_in = (uInt)(chunklength - prefix_size); png_ptr->zstream.next_out = png_ptr->zbuf; png_ptr->zstream.avail_out = (uInt)png_ptr->zbuf_size; text_size = 0; text = NULL; + buffer_size = 0; while (png_ptr->zstream.avail_in) { ret = inflate(&png_ptr->zstream, Z_PARTIAL_FLUSH); @@ -261,11 +335,12 @@ text_size = prefix_size + png_sizeof(msg) + 1; text = (png_charp)png_malloc_warn(png_ptr, text_size); if (text == NULL) { - png_free(png_ptr, png_ptr->chunkdata); - png_ptr->chunkdata = NULL; - png_error(png_ptr, "Not enough memory to decompress chunk"); + png_error(png_ptr, + "Not enough memory to decompress chunk"); + text_size = 0; + break; } png_memcpy(text, png_ptr->chunkdata, prefix_size); } @@ -273,57 +348,40 @@ /* Copy what we can of the error message into the text chunk */ text_size = (png_size_t)(chunklength - (text - png_ptr->chunkdata) - 1); + if (text_size > png_sizeof(msg)) text_size = png_sizeof(msg); + png_memcpy(text + prefix_size, msg, text_size); + buffer_size = text_size; break; } if (!png_ptr->zstream.avail_out || ret == Z_STREAM_END) { - if (text == NULL) + if (text == NULL) /* Initialize the decompression buffer */ { - text_size = prefix_size + - png_ptr->zbuf_size - png_ptr->zstream.avail_out; + text_size = expanded_size; + text = (png_charp)png_malloc_warn(png_ptr, text_size + 1); if (text == NULL) { - png_free(png_ptr, png_ptr->chunkdata); - png_ptr->chunkdata = NULL; png_error(png_ptr, "Not enough memory to decompress chunk."); + text_size = 0; + break; } png_memcpy(text + prefix_size, png_ptr->zbuf, text_size - prefix_size); png_memcpy(text, png_ptr->chunkdata, prefix_size); *(text + text_size) = 0x00; + buffer_size = text_size; } - else - { - png_charp tmp; - - tmp = text; - text = (png_charp)png_malloc_warn(png_ptr, - (png_uint_32)(text_size + - png_ptr->zbuf_size - png_ptr->zstream.avail_out + 1)); - if (text == NULL) - { - png_free(png_ptr, tmp); - png_free(png_ptr, png_ptr->chunkdata); - png_ptr->chunkdata = NULL; - png_error(png_ptr, - "Not enough memory to decompress chunk.."); - } - png_memcpy(text, tmp, text_size); - png_free(png_ptr, tmp); - png_memcpy(text + text_size, png_ptr->zbuf, - (png_ptr->zbuf_size - png_ptr->zstream.avail_out)); - text_size += png_ptr->zbuf_size - png_ptr->zstream.avail_out; - *(text + text_size) = 0x00; } if (ret == Z_STREAM_END) break; + else { png_ptr->zstream.next_out = png_ptr->zbuf; png_ptr->zstream.avail_out = (uInt)png_ptr->zbuf_size; @@ -328,9 +386,9 @@ png_ptr->zstream.next_out = png_ptr->zbuf; png_ptr->zstream.avail_out = (uInt)png_ptr->zbuf_size; } } - } + if (ret != Z_STREAM_END) { #if defined(PNG_STDIO_SUPPORTED) && !defined(_WIN32_WCE) char umsg[52]; @@ -362,9 +420,9 @@ if (text == NULL) { png_free(png_ptr, png_ptr->chunkdata); png_ptr->chunkdata = NULL; - png_error(png_ptr, "Not enough memory for text."); + png_error(png_ptr, "Not enough memory for text"); } png_memcpy(text, png_ptr->chunkdata, prefix_size); } *(text + text_size) = 0x00; diff -ru4NwbB libpng-1.2.42/pngset.c libpng-1.2.43beta02/pngset.c --- libpng-1.2.42/pngset.c 2010-01-02 23:04:19.681601636 -0600 +++ libpng-1.2.43beta02/pngset.c 2010-02-01 09:25:12.898505433 -0600 @@ -1,8 +1,8 @@ /* pngset.c - storage of image information into info struct * - * Last changed in libpng 1.2.42 [February 1, 2010] + * Last changed in libpng 1.2.42 [January 3, 2010] * Copyright (c) 1998-2010 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * diff -ru4NwbB libpng-1.2.42/pngtest.c libpng-1.2.43beta02/pngtest.c --- libpng-1.2.42/pngtest.c 2010-01-02 23:04:19.690626211 -0600 +++ libpng-1.2.43beta02/pngtest.c 2010-02-01 09:25:12.907515081 -0600 @@ -1535,16 +1535,16 @@ int allocation_now = current_allocation; #endif for (i=2; i