diff --git a/ANNOUNCE b/ANNOUNCE index f40c9b710..7b4de16fb 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,5 +1,5 @@ -Libpng 1.5.24beta03 - October 15, 2015 +Libpng 1.5.24beta03 - October 29, 2015 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -52,7 +52,8 @@ Version 1.5.24beta02 [October 15, 2015] Merged pngvalid.c with version 1.6.19. Added sPLT support to pngtest.c -Version 1.5.24beta03 [October 15, 2015] +Version 1.5.24beta03 [October 29, 2015] + Prevent writing over-length PLTE chunk (Cosmin Truta). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/CHANGES b/CHANGES index bf1c5b874..28e2a5550 100644 --- a/CHANGES +++ b/CHANGES @@ -3754,7 +3754,8 @@ Version 1.5.7beta04 [November 17, 2011] Version 1.5.7beta05 [November 25, 2011] Removed "zTXt" from warning in generic chunk decompression function. Validate time settings passed to pngset() and png_convert_to_rfc1123() - (Frank Busse). + (Frank Busse). Note: This prevented CVE-2015-7981 from affecting + libpng-1.5.7 and later. Added MINGW support to CMakeLists.txt Reject invalid compression flag or method when reading the iTXt chunk. Backed out 'simplified' API changes. The API seems too complex and there @@ -4398,7 +4399,8 @@ Version 1.5.24beta02 [October 15, 2015] Merged pngvalid.c with version 1.6.19. Added sPLT support to pngtest.c -Version 1.5.24beta03 [October 15, 2015] +Version 1.5.24beta03 [October 29, 2015] + Prevent writing over-length PLTE chunk (Cosmin Truta). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/libpng-manual.txt b/libpng-manual.txt index 6803ca679..8e787f389 100644 --- a/libpng-manual.txt +++ b/libpng-manual.txt @@ -1,6 +1,6 @@ Libpng-manual.txt - A description on how to use and modify libpng - libpng version 1.5.24beta03 - October 15, 2015 + libpng version 1.5.24beta03 - October 29, 2015 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2014 Glenn Randers-Pehrson @@ -11,7 +11,7 @@ Libpng-manual.txt - A description on how to use and modify libpng Based on: - libpng versions 0.97, January 1998, through 1.5.24beta03 - October 15, 2015 + libpng versions 0.97, January 1998, through 1.5.24beta03 - October 29, 2015 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2014 Glenn Randers-Pehrson @@ -4256,6 +4256,11 @@ limits are now The png_set_option() function (and the "options" member of the png struct) was added to libpng-1.5.15. +Starting with libpng-1.5.24, attempting to write an over-length PLTE chunk +is an error. Previously this requirement of the PNG specification was not +enforced. Libpng continues to accept over-length PLTE chunks when reading, +but does not make any use of the extra entries. + The library now supports a complete fixed point implementation and can thus be used on systems that have no floating point support or very limited or slow support. Previously gamma correction, an essential part @@ -4501,7 +4506,7 @@ Other rules can be inferred by inspecting the libpng source. XIV. Y2K Compliance in libpng -October 15, 2015 +October 29, 2015 Since the PNG Development group is an ad-hoc body, we can't make an official declaration. diff --git a/libpng.3 b/libpng.3 index c424b83bd..9b972d6e6 100644 --- a/libpng.3 +++ b/libpng.3 @@ -1,4 +1,4 @@ -.TH LIBPNG 3 "October 15, 2015" +.TH LIBPNG 3 "October 29, 2015" .SH NAME libpng \- Portable Network Graphics (PNG) Reference Library 1.5.24beta03 .SH SYNOPSIS @@ -496,7 +496,7 @@ Following is a copy of the libpng-manual.txt file that accompanies libpng. .SH LIBPNG.TXT Libpng-manual.txt - A description on how to use and modify libpng - libpng version 1.5.24beta03 - October 15, 2015 + libpng version 1.5.24beta03 - October 29, 2015 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2014 Glenn Randers-Pehrson @@ -507,7 +507,7 @@ Libpng-manual.txt - A description on how to use and modify libpng Based on: - libpng versions 0.97, January 1998, through 1.5.24beta03 - October 15, 2015 + libpng versions 0.97, January 1998, through 1.5.24beta03 - October 29, 2015 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2014 Glenn Randers-Pehrson @@ -4752,6 +4752,11 @@ limits are now The png_set_option() function (and the "options" member of the png struct) was added to libpng-1.5.15. +Starting with libpng-1.5.24, attempting to write an over-length PLTE chunk +is an error. Previously this requirement of the PNG specification was not +enforced. Libpng continues to accept over-length PLTE chunks when reading, +but does not make any use of the extra entries. + The library now supports a complete fixed point implementation and can thus be used on systems that have no floating point support or very limited or slow support. Previously gamma correction, an essential part @@ -4997,7 +5002,7 @@ Other rules can be inferred by inspecting the libpng source. .SH XIV. Y2K Compliance in libpng -October 15, 2015 +October 29, 2015 Since the PNG Development group is an ad-hoc body, we can't make an official declaration. @@ -5310,7 +5315,7 @@ possible without all of you. Thanks to Frank J. T. Wojcik for helping with the documentation. -Libpng version 1.5.24beta03 - October 15, 2015: +Libpng version 1.5.24beta03 - October 29, 2015: Initially created in 1995 by Guy Eric Schalnat, then of Group 42, Inc. Currently maintained by Glenn Randers-Pehrson (glennrp at users.sourceforge.net). @@ -5333,7 +5338,7 @@ this sentence. This code is released under the libpng license. -libpng versions 1.0.7, July 1, 2000, through 1.5.24beta03, October 15, 2015, are +libpng versions 1.0.7, July 1, 2000, through 1.5.24beta03, October 29, 2015, are Copyright (c) 2000-2002, 2004, 2006-2015 Glenn Randers-Pehrson, and are distributed according to the same disclaimer and license as libpng-1.0.6 with the following individuals added to the list of Contributing Authors: @@ -5426,7 +5431,7 @@ the additional disclaimers inserted at version 1.0.7. Glenn Randers-Pehrson glennrp at users.sourceforge.net -October 15, 2015 +October 29, 2015 .\" end of man page diff --git a/pngwutil.c b/pngwutil.c index fc028637a..05fd85d7a 100644 --- a/pngwutil.c +++ b/pngwutil.c @@ -1,7 +1,7 @@ /* pngwutil.c - utilities to write a PNG file * - * Last changed in libpng 1.5.23 [July 23, 2015] + * Last changed in libpng 1.5.24 [(PENDING RELEASE)] * Copyright (c) 1998-2015 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) @@ -896,17 +896,20 @@ void /* PRIVATE */ png_write_PLTE(png_structp png_ptr, png_const_colorp palette, png_uint_32 num_pal) { - png_uint_32 i; + png_uint_32 max_num_pal, i; png_const_colorp pal_ptr; png_byte buf[3]; png_debug(1, "in png_write_PLTE"); + max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? + (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; + if (( #ifdef PNG_MNG_FEATURES_SUPPORTED !(png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) && #endif - num_pal == 0) || num_pal > 256) + num_pal == 0) || num_pal > max_num_pal) { if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) {