diff --git a/ANNOUNCE b/ANNOUNCE index 2dfb5e3bf..16e7e6685 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,5 +1,5 @@ -Libpng 1.5.23beta01 - May 10, 2015 +Libpng 1.5.23beta01 - May 21, 2015 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -27,7 +27,7 @@ Other information: Changes since the last public release (1.5.22): -Version 1.5.23beta01 [May 10, 2015] +Version 1.5.23beta01 [May 21, 2015] Removed unused PNG_SET_CHUNK_[CACHE|MALLOC]_LIMIT_SUPPORTED definitions from pnglibconf.h.prebuilt (Andrew Church). Replaced "unexpected" with an integer in pngset.c where a long was @@ -35,6 +35,8 @@ Version 1.5.23beta01 [May 10, 2015] Fix typecast in a png_debug2() statement in png_set_text_2() to avoid a compiler warning in PNG_DEBUG builds. Avoid Coverity issue 80858 (REVERSE NULL) in pngtest.c PNG_DEBUG builds. + Avoid a harmless potential integer overflow in png_XYZ_from_xy() (Bug + report from Christopher Ferris). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/CHANGES b/CHANGES index 2752af3bd..9d1ce1e1a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,11 +1,14 @@ #if 0 CHANGES - changes for libpng -Version 0.2 +version 0.1 [March 29, 1995] + initial work-in-progress release + +version 0.2 [April 1, 1995] added reader into png.h fixed small problems in stub file -Version 0.3 +version 0.3 [April 8, 1995] added pull reader split up pngwrite.c to several files added pnglib.txt @@ -14,9 +17,9 @@ Version 0.3 fixed some bugs in writer interfaced with zlib 0.5 added K&R support - added check for 64 KB blocks for 16-bit machines + added check for 64 KB blocks for 16 bit machines -Version 0.4 +version 0.4 [April 26, 1995] cleaned up code and commented code simplified time handling into png_time created png_color_16 and png_color_8 to handle color needs @@ -27,28 +30,29 @@ Version 0.4 cleaned up zTXt reader and writer (using zlib's Reset functions) split transformations into pngrtran.c and pngwtran.c -Version 0.5 +version 0.5 [April 30, 1995] interfaced with zlib 0.8 fixed many reading and writing bugs saved using 3 spaces instead of tabs -Version 0.6 +version 0.6 [May 1, 1995] + first beta release added png_large_malloc() and png_large_free() added png_size_t cleaned up some compiler warnings added png_start_read_image() -Version 0.7 +version 0.7 [June 24, 1995] cleaned up lots of bugs finished dithering and other stuff added test program changed name from pnglib to libpng -Version 0.71 [June, 1995] +version 0.71 [June 26, 1995] changed pngtest.png for zlib 0.93 fixed error in libpng.txt and example.c -Version 0.8 +version 0.8 [August 20, 1995] cleaned up some bugs added png_set_filler() split up pngstub.c into pngmem.c, pngio.c, and pngerror.c @@ -1449,8 +1453,9 @@ Version 1.2.6beta4 [July 28, 2004] Use png_malloc instead of png_zalloc to allocate the pallete. Version 1.0.16rc1 and 1.2.6rc1 [August 4, 2004] - Fixed buffer overflow vulnerability in png_handle_tRNS() - Fixed integer arithmetic overflow vulnerability in png_read_png(). + Fixed buffer overflow vulnerability (CVE-2004-0597) in png_handle_tRNS(). + Fixed NULL dereference vulnerability (CVE-2004-0598) in png_handle_iCCP(). + Fixed integer overflow vulnerability (CVE-2004-0599) in png_read_png(). Fixed some harmless bugs in png_handle_sBIT, etc, that would cause duplicate chunk types to go undetected. Fixed some timestamps in the -config version @@ -4334,7 +4339,7 @@ Version 1.5.22rc04 [March 16, 2015] Version 1.5.22 [March 26, 2015] No changes. -Version 1.5.23beta01 [May 10, 2015] +Version 1.5.23beta01 [May 21, 2015] Removed unused PNG_SET_CHUNK_[CACHE|MALLOC]_LIMIT_SUPPORTED definitions from pnglibconf.h.prebuilt (Andrew Church). Replaced "unexpected" with an integer in pngset.c where a long was @@ -4342,6 +4347,8 @@ Version 1.5.23beta01 [May 10, 2015] Fix typecast in a png_debug2() statement in png_set_text_2() to avoid a compiler warning in PNG_DEBUG builds. Avoid Coverity issue 80858 (REVERSE NULL) in pngtest.c PNG_DEBUG builds. + Avoid a harmless potential integer overflow in png_XYZ_from_xy() (Bug + report from Christopher Ferris). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/png.c b/png.c index 2d7506463..c5794a91d 100644 --- a/png.c +++ b/png.c @@ -648,13 +648,13 @@ png_get_copyright(png_const_structp png_ptr) #else # ifdef __STDC__ return PNG_STRING_NEWLINE \ - "libpng version 1.5.23beta01 - March 26, 2015" PNG_STRING_NEWLINE \ + "libpng version 1.5.23beta01 - May 21, 2015" PNG_STRING_NEWLINE \ "Copyright (c) 1998-2015 Glenn Randers-Pehrson" PNG_STRING_NEWLINE \ "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \ "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \ PNG_STRING_NEWLINE; # else - return "libpng version 1.5.23beta01 - March 26, 2015\ + return "libpng version 1.5.23beta01 - May 21, 2015\ Copyright (c) 1998-2015 Glenn Randers-Pehrson\ Copyright (c) 1996-1997 Andreas Dilger\ Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc."; @@ -885,7 +885,8 @@ int png_XYZ_from_xy(png_XYZ *XYZ, png_xy xy) /* Check xy and, implicitly, z. Note that wide gamut color spaces typically * have end points with 0 tristimulus values (these are impossible end - * points, but they are used to cover the possible colors.) + * points, but they are used to cover the possible colors). We check + * xy.whitey against 5, not 0, to avoid a possible integer overflow. */ if (xy.redx < 0 || xy.redx > PNG_FP_1) return 1; if (xy.redy < 0 || xy.redy > PNG_FP_1-xy.redx) return 1; @@ -894,7 +895,7 @@ int png_XYZ_from_xy(png_XYZ *XYZ, png_xy xy) if (xy.bluex < 0 || xy.bluex > PNG_FP_1) return 1; if (xy.bluey < 0 || xy.bluey > PNG_FP_1-xy.bluex) return 1; if (xy.whitex < 0 || xy.whitex > PNG_FP_1) return 1; - if (xy.whitey < 0 || xy.whitey > PNG_FP_1-xy.whitex) return 1; + if (xy.whitey < 5 || xy.whitey > PNG_FP_1-xy.whitex) return 1; /* The reverse calculation is more difficult because the original tristimulus * value had 9 independent values (red,green,blue)x(X,Y,Z) however only 8