[libpng15] Avoid potential overflow of shift operations in png_do_expand() (Aaron Boxer).

2025-07-10 18:04:09 +02:00 · 2017-03-01 15:46:04 -06:00 · 2017-03-01 15:46:04 -06:00 · 0b21dc3efe
commit 0b21dc3efe
parent d0023a7391
3 changed files with 8 additions and 6 deletions
--- a/1
+++ b/1
@ -28,6 +28,7 @@ Changes since the last public release (1.5.28):

 version 1.5.29beta01 [March 1, 2017]
  Suppress clang warnings about implicit sign changes in png.c
+  Avoid potential overflow of shift operations in png_do_expand() (Aaron Boxer).

 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
--- a/1
+++ b/1
@ -4533,6 +4533,7 @@ version 1.5.28 [December 29, 2016]

 version 1.5.29beta01 [March 1, 2017]
  Suppress clang warnings about implicit sign changes in png.c
+  Avoid potential overflow of shift operations in png_do_expand() (Aaron Boxer).

 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
--- a/pngrtran.c
+++ b/pngrtran.c
@ -1,8 +1,8 @@

 /* pngrtran.c - transforms the data in a row for PNG readers
 *
- * Last changed in libpng 1.5.24 [November 12, 2015]
- * Copyright (c) 1998-2002,2004,2006-2015 Glenn Randers-Pehrson
+ * Last changed in libpng 1.5.29 [(PENDING RELEASE)]
+ * Copyright (c) 1998-2002,2004,2006-2015,2017 Glenn Randers-Pehrson
 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
 *
@ -4604,7 +4604,7 @@ png_do_expand_palette(png_row_infop row_info, png_bytep row,
            if (num_trans > 0)
            {
               sp = row + (png_size_t)row_width - 1;
-               dp = row + (png_size_t)(row_width << 2) - 1;
+               dp = row + ((png_size_t)row_width << 2) - 1;

               for (i = 0; i < row_width; i++)
               {
@ -4767,7 +4767,7 @@ png_do_expand(png_row_infop row_info, png_bytep row,
                * 'gray', however if those are set it is an error.
                */
               sp = row + (png_size_t)row_width - 1;
-               dp = row + (png_size_t)(row_width << 1) - 1;
+               dp = row + ((png_size_t)row_width << 1) - 1;

               for (i = 0; i < row_width; i++)
               {
@ -4821,7 +4821,7 @@ png_do_expand(png_row_infop row_info, png_bytep row,
            png_byte green = (png_byte)(trans_color->green & 0xff);
            png_byte blue = (png_byte)(trans_color->blue & 0xff);
            sp = row + (png_size_t)row_info->rowbytes - 1;
-            dp = row + (png_size_t)(row_width << 2) - 1;
+            dp = row + ((png_size_t)row_width << 2) - 1;
            for (i = 0; i < row_width; i++)
            {
               if (*(sp - 2) == red && *(sp - 1) == green && *(sp) == blue)
@ -4844,7 +4844,7 @@ png_do_expand(png_row_infop row_info, png_bytep row,
            png_byte green_low = (png_byte)(trans_color->green & 0xff);
            png_byte blue_low = (png_byte)(trans_color->blue & 0xff);
            sp = row + row_info->rowbytes - 1;
-            dp = row + (png_size_t)(row_width << 3) - 1;
+            dp = row + ((png_size_t)row_width << 3) - 1;
            for (i = 0; i < row_width; i++)
            {
               if (*(sp - 5) == red_high &&