[libpng15] When png_set_filler is used to strip a filler channel during write,

the code prior to 1.5 would ignore the case where the output required an
alpha channel or when the output was a palettized PNG.  In libpng-1.5 the
ignorance was lost and libpng proceeded to strip the channel resulting
in a bad (potential memory overwrite) failure later.  This reverts
the behavior to the pre-1.5 state but issues a warning. libpng-1.6 is
expected to issue an error on the erroneous png_set_filler call.

ANNOUNCE

@@ -1,5 +1,5 @@
 
-Libpng 1.5.13beta02 - August 8, 2012
+Libpng 1.5.13beta02 - August 9, 2012
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -32,7 +32,15 @@ Version 1.5.13beta01 [August 8, 2012]
   Revised PNG_FP_EXPORT and PNG_FIXED_EXPORT macros to avoid generating
     lone semicolons (patch ported from libpng-1.6.0beta11).
 
-Version 1.5.13beta02 [August 8, 2012]
+Version 1.5.13beta02 [August 9, 2012]
+  Corrected handling of the image array and the row_pointers array in example.c
+  When png_set_filler is used to strip a filler channel during write, the
+    code prior to 1.5 would ignore the case where the output required an
+    alpha channel or when the output was a palettized PNG.  In libpng-1.5 the
+    ignorance was lost and libpng proceeded to strip the channel resulting
+    in a bad (potential memory overwrite) failure later.  This reverts
+    the behavior to the pre-1.5 state but issues a warning. libpng-1.6 is
+    expected to issue an error on the erroneous png_set_filler call.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net:
 (subscription required; visit

CHANGES

@@ -3902,7 +3902,16 @@ Version 1.5.13beta01 [August 8, 2012]
   Revised PNG_FP_EXPORT and PNG_FIXED_EXPORT macros to avoid generating
     lone semicolons (patch ported from libpng-1.6.0beta11).
 
-Version 1.5.13beta02 [August 8, 2012]
+Version 1.5.13beta02 [August 9, 2012]
+  Corrected handling of the image array and the row_pointers array in example.c
+  When png_set_filler is used to strip a filler channel during write, the
+    code prior to 1.5 would ignore the case where the output required an
+    alpha channel or when the output was a palettized PNG.  In libpng-1.5 the
+    ignorance was lost and libpng proceeded to strip the channel resulting
+    in a bad (potential memory overwrite) failure later.  This reverts
+    the behavior to the pre-1.5 state but issues a warning. libpng-1.6 is
+    expected to issue an error on the erroneous png_set_filler call.
+
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

pngwtran.c

@@ -1,8 +1,8 @@
 
 /* pngwtran.c - transforms the data in a row for PNG writers
  *
- * Last changed in libpng 1.5.6 [November 3, 2011]
+ * Last changed in libpng 1.5.13 [(PENDING RELEASE)]
- * Copyright (c) 1998-2011 Glenn Randers-Pehrson
+ * Copyright (c) 1998-2012 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
@@ -45,8 +45,20 @@ png_do_write_transformations(png_structp png_ptr, png_row_infop row_info)
 
 #ifdef PNG_WRITE_FILLER_SUPPORTED
    if (png_ptr->transformations & PNG_FILLER)
+   {
+      if (png_ptr->color_type & (PNG_COLOR_MASK_ALPHA|PNG_COLOR_MASK_PALETTE))
+      {
+         /* GA, RGBA or palette; in any of these cases libpng will not do the
+          * the correct thing (whatever that might be).
+          */
+         png_warning(png_ptr, "incorrect png_set_filler call ignored");
+         png_ptr->transformations &= ~PNG_FILLER;
+      }
+
+      else
          png_do_strip_channel(row_info, png_ptr->row_buf + 1,
             !(png_ptr->flags & PNG_FLAG_FILLER_AFTER));
+   }
 #endif
 
 #ifdef PNG_WRITE_PACKSWAP_SUPPORTED