From 56e6741b2585777327ebb7a289bdcd7f42d31ba1 Mon Sep 17 00:00:00 2001
From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
Date: Wed, 7 Jan 2015 18:59:10 -0600
Subject: [PATCH] [libpng17] Made the check for out-of-range values in
 png_set_tRNS() work on

16-bit platforms.
---
 ANNOUNCE | 6 ++++--
 CHANGES  | 6 ++++--
 pngset.c | 4 ++--
 3 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/ANNOUNCE b/ANNOUNCE
index 0bfa62262..c0e933713 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,5 +1,5 @@
 
-Libpng 1.7.0beta47 - January 2, 2015
+Libpng 1.7.0beta47 - January 8, 2015
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -687,7 +687,9 @@ Version 1.7.0beta46 [January 2, 2015]
   Fixed byte order in 2-byte filler, in png_do_read_filler().
   Allow user to call png_get_IHDR() with NULL arguments (Reuben Hawkins).
 
-Version 1.7.0beta47 [January 2, 2015]
+Version 1.7.0beta47 [January 8, 2015]
+  Made the check for out-of-range values in png_set_tRNS() work on
+    16-bit platforms.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/CHANGES b/CHANGES
index e16889d4b..46c3d664e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4956,7 +4956,7 @@ Version 1.7.0beta43 [December 18, 2014]
 
 Version 1.7.0beta44 [December 23, 2014]
   Restored a test on width that was removed from png.c at libpng-1.6.9
-    (Bug report by Alex Eubanks).
+    (Bug report by Alex Eubanks, CVE-2014-9495).
   Fixed an overflow in png_combine_row with very wide interlaced images.
   Corrected the width limit calculation in png_check_IHDR().
   Removed extraneous handling of PNG_SAFE_LIMITS_SUPPORTED from pngconf.h
@@ -4976,7 +4976,9 @@ Version 1.7.0beta46 [January 2, 2015]
   Fixed byte order in 2-byte filler, in png_do_read_filler().
   Allow user to call png_get_IHDR() with NULL arguments (Reuben Hawkins).
 
-Version 1.7.0beta47 [January 2, 2015]
+Version 1.7.0beta47 [January 8, 2015]
+  Made the check for out-of-range values in png_set_tRNS() work on
+    16-bit platforms.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/pngset.c b/pngset.c
index 0af402a17..668a25c06 100644
--- a/pngset.c
+++ b/pngset.c
@@ -987,9 +987,9 @@ png_set_tRNS(png_structrp png_ptr, png_inforp info_ptr,
       info_ptr->valid &= ~PNG_INFO_tRNS;
       info_ptr->num_trans = 0; /* for png_get_tRNS */
 
-      if (trans_color != NULL)
+      if (trans_color != NULL && info_ptr->bit_depth < 16)
       {
-         int sample_max = (1 << info_ptr->bit_depth);
+         png_uint_16 sample_max = (1 << info_ptr->bit_depth) - 1;
 
          if ((info_ptr->color_type == PNG_COLOR_TYPE_GRAY &&
              trans_color->gray <= sample_max) ||