Recently introduced palette sharing bug

The internal read code change to stop sharing the palette was incompletely implemented. The result is that unless palette index checking is turned off and there are no read transformations the png_info palette gets deleted when the png_struct is deleted. This is normally harmless (png_info gets deleted first) but in the case of pngcp it results in use-after-free of the palette and, therefore, palette corruption and maybe on some operating systems and access violation. This also updated pngcp 'search' mode to check a restricted range of memLevels; there is an unrelated bug which means that lower zlib memLevels result in memory corruption under some circumstances, probably less often than 1:1000. Signed-off-by: John Bowler <jbowler@acm.org>
2025-07-10 18:04:09 +02:00 · 2016-01-12 09:36:10 -08:00
parent 2fce16e5c4
commit 3d024874a5
3 changed files with 44 additions and 24 deletions
--- a/pngstruct.h
+++ b/pngstruct.h
@@ -469,7 +469,7 @@ struct png_struct_def
       * default: PNG_DEFAULT_GAMMA_ACCURACY (665)
       */
 #endif /* NYI */
-   png_uint_16      gamma_threshold;
+   png_uint_16  gamma_threshold;
      /* Gamma threshold value as a fixed-point value in the range 0..1; the
       * threshold at or below which gamma correction is skipped.  '0' forces
       * gamma correction even when there is none because the input and output
@@ -479,7 +479,8 @@ struct png_struct_def
       */
 #endif /* READ_GAMMA */
 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
-   unsigned int     invalid_info;     /* PNG_INFO_* for invalidated chunks */
+   unsigned int invalid_info;      /* PNG_INFO_* for invalidated chunks */
+   unsigned int palette_updated:1; /* png_struct::palette changed */
 #endif /* READ_TRANSFORMS */

 #ifdef PNG_SEQUENTIAL_READ_SUPPORTED