mirror of
https://git.code.sf.net/p/libpng/code.git
synced 2025-07-10 18:04:09 +02:00
[libpng15] Avoid a harmless potential integer overflow in png_XYZ_from_xy() (Bug
report from Christopher Ferris).
This commit is contained in:
Glenn Randers-Pehrson
parent
8583cc23e4
commit
2cd7404743
6
ANNOUNCE
6
ANNOUNCE
@ -1,5 +1,5 @@
|
||||
|
||||
Libpng 1.5.23beta01 - May 10, 2015
|
||||
Libpng 1.5.23beta01 - May 21, 2015
|
||||
|
||||
This is not intended to be a public release. It will be replaced
|
||||
within a few weeks by a public version or by another test version.
|
||||
@ -27,7 +27,7 @@ Other information:
|
||||
|
||||
Changes since the last public release (1.5.22):
|
||||
|
||||
Version 1.5.23beta01 [May 10, 2015]
|
||||
Version 1.5.23beta01 [May 21, 2015]
|
||||
Removed unused PNG_SET_CHUNK_[CACHE|MALLOC]_LIMIT_SUPPORTED definitions
|
||||
from pnglibconf.h.prebuilt (Andrew Church).
|
||||
Replaced "unexpected" with an integer in pngset.c where a long was
|
||||
@ -35,6 +35,8 @@ Version 1.5.23beta01 [May 10, 2015]
|
||||
Fix typecast in a png_debug2() statement in png_set_text_2() to
|
||||
avoid a compiler warning in PNG_DEBUG builds.
|
||||
Avoid Coverity issue 80858 (REVERSE NULL) in pngtest.c PNG_DEBUG builds.
|
||||
Avoid a harmless potential integer overflow in png_XYZ_from_xy() (Bug
|
||||
report from Christopher Ferris).
|
||||
|
||||
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
|
||||
(subscription required; visit
|
||||
|
||||
31
CHANGES
31
CHANGES
@ -1,11 +1,14 @@
|
||||
#if 0
|
||||
CHANGES - changes for libpng
|
||||
|
||||
Version 0.2
|
||||
version 0.1 [March 29, 1995]
|
||||
initial work-in-progress release
|
||||
|
||||
version 0.2 [April 1, 1995]
|
||||
added reader into png.h
|
||||
fixed small problems in stub file
|
||||
|
||||
Version 0.3
|
||||
version 0.3 [April 8, 1995]
|
||||
added pull reader
|
||||
split up pngwrite.c to several files
|
||||
added pnglib.txt
|
||||
@ -14,9 +17,9 @@ Version 0.3
|
||||
fixed some bugs in writer
|
||||
interfaced with zlib 0.5
|
||||
added K&R support
|
||||
added check for 64 KB blocks for 16-bit machines
|
||||
added check for 64 KB blocks for 16 bit machines
|
||||
|
||||
Version 0.4
|
||||
version 0.4 [April 26, 1995]
|
||||
cleaned up code and commented code
|
||||
simplified time handling into png_time
|
||||
created png_color_16 and png_color_8 to handle color needs
|
||||
@ -27,28 +30,29 @@ Version 0.4
|
||||
cleaned up zTXt reader and writer (using zlib's Reset functions)
|
||||
split transformations into pngrtran.c and pngwtran.c
|
||||
|
||||
Version 0.5
|
||||
version 0.5 [April 30, 1995]
|
||||
interfaced with zlib 0.8
|
||||
fixed many reading and writing bugs
|
||||
saved using 3 spaces instead of tabs
|
||||
|
||||
Version 0.6
|
||||
version 0.6 [May 1, 1995]
|
||||
first beta release
|
||||
added png_large_malloc() and png_large_free()
|
||||
added png_size_t
|
||||
cleaned up some compiler warnings
|
||||
added png_start_read_image()
|
||||
|
||||
Version 0.7
|
||||
version 0.7 [June 24, 1995]
|
||||
cleaned up lots of bugs
|
||||
finished dithering and other stuff
|
||||
added test program
|
||||
changed name from pnglib to libpng
|
||||
|
||||
Version 0.71 [June, 1995]
|
||||
version 0.71 [June 26, 1995]
|
||||
changed pngtest.png for zlib 0.93
|
||||
fixed error in libpng.txt and example.c
|
||||
|
||||
Version 0.8
|
||||
version 0.8 [August 20, 1995]
|
||||
cleaned up some bugs
|
||||
added png_set_filler()
|
||||
split up pngstub.c into pngmem.c, pngio.c, and pngerror.c
|
||||
@ -1449,8 +1453,9 @@ Version 1.2.6beta4 [July 28, 2004]
|
||||
Use png_malloc instead of png_zalloc to allocate the pallete.
|
||||
|
||||
Version 1.0.16rc1 and 1.2.6rc1 [August 4, 2004]
|
||||
Fixed buffer overflow vulnerability in png_handle_tRNS()
|
||||
Fixed integer arithmetic overflow vulnerability in png_read_png().
|
||||
Fixed buffer overflow vulnerability (CVE-2004-0597) in png_handle_tRNS().
|
||||
Fixed NULL dereference vulnerability (CVE-2004-0598) in png_handle_iCCP().
|
||||
Fixed integer overflow vulnerability (CVE-2004-0599) in png_read_png().
|
||||
Fixed some harmless bugs in png_handle_sBIT, etc, that would cause
|
||||
duplicate chunk types to go undetected.
|
||||
Fixed some timestamps in the -config version
|
||||
@ -4334,7 +4339,7 @@ Version 1.5.22rc04 [March 16, 2015]
|
||||
Version 1.5.22 [March 26, 2015]
|
||||
No changes.
|
||||
|
||||
Version 1.5.23beta01 [May 10, 2015]
|
||||
Version 1.5.23beta01 [May 21, 2015]
|
||||
Removed unused PNG_SET_CHUNK_[CACHE|MALLOC]_LIMIT_SUPPORTED definitions
|
||||
from pnglibconf.h.prebuilt (Andrew Church).
|
||||
Replaced "unexpected" with an integer in pngset.c where a long was
|
||||
@ -4342,6 +4347,8 @@ Version 1.5.23beta01 [May 10, 2015]
|
||||
Fix typecast in a png_debug2() statement in png_set_text_2() to
|
||||
avoid a compiler warning in PNG_DEBUG builds.
|
||||
Avoid Coverity issue 80858 (REVERSE NULL) in pngtest.c PNG_DEBUG builds.
|
||||
Avoid a harmless potential integer overflow in png_XYZ_from_xy() (Bug
|
||||
report from Christopher Ferris).
|
||||
|
||||
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
|
||||
(subscription required; visit
|
||||
|
||||
9
png.c
9
png.c
@ -648,13 +648,13 @@ png_get_copyright(png_const_structp png_ptr)
|
||||
#else
|
||||
# ifdef __STDC__
|
||||
return PNG_STRING_NEWLINE \
|
||||
"libpng version 1.5.23beta01 - March 26, 2015" PNG_STRING_NEWLINE \
|
||||
"libpng version 1.5.23beta01 - May 21, 2015" PNG_STRING_NEWLINE \
|
||||
"Copyright (c) 1998-2015 Glenn Randers-Pehrson" PNG_STRING_NEWLINE \
|
||||
"Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
|
||||
"Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
|
||||
PNG_STRING_NEWLINE;
|
||||
# else
|
||||
return "libpng version 1.5.23beta01 - March 26, 2015\
|
||||
return "libpng version 1.5.23beta01 - May 21, 2015\
|
||||
Copyright (c) 1998-2015 Glenn Randers-Pehrson\
|
||||
Copyright (c) 1996-1997 Andreas Dilger\
|
||||
Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.";
|
||||
@ -885,7 +885,8 @@ int png_XYZ_from_xy(png_XYZ *XYZ, png_xy xy)
|
||||
|
||||
/* Check xy and, implicitly, z. Note that wide gamut color spaces typically
|
||||
* have end points with 0 tristimulus values (these are impossible end
|
||||
* points, but they are used to cover the possible colors.)
|
||||
* points, but they are used to cover the possible colors). We check
|
||||
* xy.whitey against 5, not 0, to avoid a possible integer overflow.
|
||||
*/
|
||||
if (xy.redx < 0 || xy.redx > PNG_FP_1) return 1;
|
||||
if (xy.redy < 0 || xy.redy > PNG_FP_1-xy.redx) return 1;
|
||||
@ -894,7 +895,7 @@ int png_XYZ_from_xy(png_XYZ *XYZ, png_xy xy)
|
||||
if (xy.bluex < 0 || xy.bluex > PNG_FP_1) return 1;
|
||||
if (xy.bluey < 0 || xy.bluey > PNG_FP_1-xy.bluex) return 1;
|
||||
if (xy.whitex < 0 || xy.whitex > PNG_FP_1) return 1;
|
||||
if (xy.whitey < 0 || xy.whitey > PNG_FP_1-xy.whitex) return 1;
|
||||
if (xy.whitey < 5 || xy.whitey > PNG_FP_1-xy.whitex) return 1;
|
||||
|
||||
/* The reverse calculation is more difficult because the original tristimulus
|
||||
* value had 9 independent values (red,green,blue)x(X,Y,Z) however only 8
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user