[libpng17] Handle zero-length PLTE chunk or NULL palette with png_error()

instead of png_chunk_report(), which by default issues a warning rather than an error, leading to later reading from a NULL pointer (png_ptr->palette) in png_do_expand_palette().
2025-07-10 18:04:09 +02:00 · 2013-12-15 08:47:52 -06:00 · 2013-12-15 08:47:52 -06:00 · 1faa6ff32c
commit 1faa6ff32c
parent 3adf438f39
4 changed files with 15 additions and 4 deletions
--- a/8
+++ b/8
@ -1,5 +1,5 @@

-Libpng 1.7.0beta24 - December 14, 2013
+Libpng 1.7.0beta24 - December 15, 2013

 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@ -437,7 +437,7 @@ Version 1.7.0beta23 [November 24, 2013]
    This reverts to the previous 'static' implementation and works round
    the 'unused static function' warning by using PNG_UNUSED().

-Version 1.7.0beta24 [December 14, 2013]
+Version 1.7.0beta24 [December 15, 2013]
  Removed or marked PNG_UNUSED some harmless "dead assignments" reported
    by clang scan-build.
  Changed tabs to 3 spaces in png_debug macros and changed '"%s"m'
@ -456,6 +456,10 @@ Version 1.7.0beta24 [December 14, 2013]
    segment of the DLL by 1208 bytes, about 0.6%. It also simplifies
    maintenance by removing the declarations from pngpriv.h and allowing
    easier changes to the internal interfaces.
+  Handle zero-length PLTE chunk or NULL palette with png_error()
+    instead of png_chunk_report(), which by default issues a warning
+    rather than an error, leading to later reading from a NULL pointer
+    (png_ptr->palette) in png_do_expand_palette().

 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
--- a/6
+++ b/6
@ -4726,7 +4726,7 @@ Version 1.7.0beta23 [November 24, 2013]
    This reverts to the previous 'static' implementation and works round
    the 'unused static function' warning by using PNG_UNUSED().

-Version 1.7.0beta24 [December 14, 2013]
+Version 1.7.0beta24 [December 15, 2013]
  Removed or marked PNG_UNUSED some harmless "dead assignments" reported
    by clang scan-build.
  Changed tabs to 3 spaces in png_debug macros and changed '"%s"m'
@ -4745,6 +4745,10 @@ Version 1.7.0beta24 [December 14, 2013]
    segment of the DLL by 1208 bytes, about 0.6%. It also simplifies
    maintenance by removing the declarations from pngpriv.h and allowing
    easier changes to the internal interfaces.
+  Handle zero-length PLTE chunk or NULL palette with png_error()
+    instead of png_chunk_report(), which by default issues a warning
+    rather than an error, leading to later reading from a NULL pointer
+    (png_ptr->palette) in png_do_expand_palette().

 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
--- a/pngrtran.c
+++ b/pngrtran.c
@ -1839,6 +1839,9 @@ png_read_transform_info(png_structrp png_ptr, png_inforp info_ptr)

         info_ptr->bit_depth = 8;
         info_ptr->num_trans = 0;
+
+         if (png_ptr->palette == NULL)
+            png_error (png_ptr, "Palette is NULL in indexed image");
      }
      else
      {
--- a/pngset.c
+++ b/pngset.c
@ -528,7 +528,7 @@ png_set_PLTE(png_structrp png_ptr, png_inforp info_ptr,
 #        endif
      ))
   {
-      png_chunk_report(png_ptr, "Invalid palette", PNG_CHUNK_ERROR);
+      png_error(png_ptr, "Invalid palette");
      return;
   }