From 5db709d83c5154fab60544afe3424818fd109533 Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Tue, 24 Nov 2015 14:38:52 -0600 Subject: [PATCH] [libpng17] Updated CHANGES and ANNOUNCE, removed trailing blanks from *.c *.h --- ANNOUNCE | 5 +++-- CHANGES | 5 +++-- png.c | 2 +- pngerror.c | 2 +- pngpread.c | 4 ++-- pngrtran.c | 12 ++++++------ pngrutil.c | 30 +++++++++++++++--------------- pngstruct.h | 2 +- pngtrans.c | 8 ++++---- pngwrite.c | 8 ++++---- pngwutil.c | 2 +- 11 files changed, 41 insertions(+), 39 deletions(-) diff --git a/ANNOUNCE b/ANNOUNCE index 6d4b14ccb..d45096726 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -970,8 +970,9 @@ Version 1.7.0beta69 [November 24, 2015] png_handle_pCAL() (Bug report by John Regehr). Avoid conditionally compiling parts of statements in png.c (suggested by flaviommedeiros). - Fixed bug recently introduced in png_set_PLTE() that uses png_ptr - not info_ptr. + Fixed incorrect implementation of png_set_PLTE() that uses png_ptr + not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126 + vulnerability. Added pngvalid --transform --interlace test. This increases code coverage by generating test cases with smaller length rows as a result of the interlacing. Without this packswap handling was diff --git a/CHANGES b/CHANGES index 0621e0607..570bd414f 100644 --- a/CHANGES +++ b/CHANGES @@ -5269,8 +5269,9 @@ Version 1.7.0beta69 [November 24, 2015] png_handle_pCAL() (Bug report by John Regehr). Avoid conditionally compiling parts of statements in png.c (suggested by flaviommedeiros). - Fixed bug recently introduced in png_set_PLTE() that uses png_ptr - not info_ptr. + Fixed incorrect implementation of png_set_PLTE() that uses png_ptr + not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126 + vulnerability. Added pngvalid --transform --interlace test. This increases code coverage by generating test cases with smaller length rows as a result of the interlacing. Without this packswap handling was diff --git a/png.c b/png.c index 2857b4398..9ab0ced40 100644 --- a/png.c +++ b/png.c @@ -2288,7 +2288,7 @@ png_compare_ICC_profile_with_sRGB(png_const_structrp png_ptr, * Fall through to "no match". */ png_chunk_report(png_ptr, - "Not recognizing known sRGB profile that has been edited", + "Not recognizing known sRGB profile that has been edited", PNG_CHUNK_WARNING); break; # endif diff --git a/pngerror.c b/pngerror.c index a49c17063..b262734f6 100644 --- a/pngerror.c +++ b/pngerror.c @@ -788,7 +788,7 @@ png_longjmp,(png_const_structrp png_ptr, int val),PNG_NORETURN) /* If control reaches this point, png_longjmp() must not return. The only * choice is to terminate the whole process (or maybe the thread); to do - * this the ANSI-C abort() function is used unless a different method is + * this the ANSI-C abort() function is used unless a different method is * implemented by overriding the default configuration setting for * PNG_ABORT (see scripts/pnglibconf.dfa). * diff --git a/pngpread.c b/pngpread.c index afe73bf16..53bb70ea4 100644 --- a/pngpread.c +++ b/pngpread.c @@ -411,7 +411,7 @@ png_push_read_process_IDAT(png_structp png_ptr, png_bytep *bufferp, */ { png_alloc_size_t buffer_length; - + if (buffer_lengthp != NULL) buffer_length = *buffer_lengthp; @@ -620,7 +620,7 @@ png_push_read_process_IDAT(png_structp png_ptr, png_bytep *bufferp, if (buffer_lengthp != NULL) { png_push_read_sync_zstream(png_ptr, bufferp, buffer_lengthp); - + /* If the chunk_length is greater than 0 then there is extra data, * report this once. Notice that for IDAT after the end of the * stream we keep coming to this point and doing the skip. diff --git a/pngrtran.c b/pngrtran.c index 3d33b3dbb..9c54978c0 100644 --- a/pngrtran.c +++ b/pngrtran.c @@ -593,7 +593,7 @@ png_do_read_unpack(png_transformp *transform, png_transform_controlp tc) png_const_bytep sp = png_voidcast(png_const_bytep, tc->sp); png_const_bytep ep = png_voidcast(png_const_bytep, tc->dp); png_bytep dp = png_voidcast(png_bytep, tc->dp); - + sp += PNG_TC_ROWBYTES(*tc) - 1; /* Start from end */ dp += tc->width; /* output bit depth is 8 */ @@ -616,7 +616,7 @@ png_do_read_unpack(png_transformp *transform, png_transform_controlp tc) if (shift == 0U) --sp; } - + debug(shift == 0U); break; } @@ -1826,7 +1826,7 @@ png_log16bit(unsigned int x) * D^g * P = ----- * D^g-1 - * + * * (M x (D^g-1)) (1) * R = (-----------)^(-) * ( D^g ) (g) @@ -2159,7 +2159,7 @@ png_gamma_nxmbit_correct(unsigned int value, png_fixed_point gamma_val, r = floor(mout * pow(r, gamma_val*.00001)+.5); if (r < 1) return 0U; - + else if (r >= mout) return mout; @@ -3854,7 +3854,7 @@ png_init_rgb_to_gray(png_transformp *transform, png_transform_controlp tc) { png_transformp tr_expand = png_push_transform(png_ptr, sizeof (png_expand), png_init_expand, transform, NULL); - + debug(*transform == tr_expand); tr_expand->args |= PNG_EXPAND_tRNS; png_init_expand(transform, tc); @@ -3869,7 +3869,7 @@ png_init_rgb_to_gray(png_transformp *transform, png_transform_controlp tc) { png_fixed_point red, green; - + if (tr->coefficients_set) { red = tr->red_coefficient; diff --git a/pngrutil.c b/pngrutil.c index 1ab2e5b59..e7722392f 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -2472,7 +2472,7 @@ png_handle_iTXt(png_structrp png_ptr, png_inforp info_ptr) /****************************************************************************** * UNKNOWN HANDLING LOGIC - * + * * There are three ways an unknown chunk may arise: * * 1) Chunks not in the spec. @@ -2512,7 +2512,7 @@ png_handle_iTXt(png_structrp png_ptr, png_inforp info_ptr) * * In the read code PNG_READ_UNKNOWN_CHUNKS_SUPPORTED is set only if either (1) * or (2) or both are supported. - * + * *****************************************************************************/ #ifdef PNG_SAVE_UNKNOWN_CHUNKS_SUPPORTED static int @@ -2742,10 +2742,10 @@ png_known_chunks[] = * the hashed name. */ static const png_byte png_chunk_lut[64] = -{ - 10, 20, 7, 3, 0, 23, 8, 0, 0, 11, 24, 0, 0, 0, 0, 4, - 12, 0, 0, 0, 13, 0, 0, 0, 25, 0, 0, 0, 2, 0, 0, 0, - 0, 6, 17, 0, 15, 0, 5, 19, 26, 0, 0, 0, 18, 0, 0, 9, +{ + 10, 20, 7, 3, 0, 23, 8, 0, 0, 11, 24, 0, 0, 0, 0, 4, + 12, 0, 0, 0, 13, 0, 0, 0, 25, 0, 0, 0, 2, 0, 0, 0, + 0, 6, 17, 0, 15, 0, 5, 19, 26, 0, 0, 0, 18, 0, 0, 9, 1, 0, 21, 0, 22, 14, 0, 0, 0, 0, 0, 0, 16, 0, 0, 0 }; @@ -2802,7 +2802,7 @@ png_cache_known_unknown(png_structrp png_ptr, png_const_bytep add, int keep) (keep == PNG_HANDLE_CHUNK_IF_SAFE && PNG_CHUNK_ANCILLARY(name))) png_ptr->save_unknown |= 1U << i; - + else /* PNG_HANDLE_CHUNK_NEVER || !SAFE */ png_ptr->save_unknown &= ~(1U << i); # endif /* SAVE_UNKNOWN_CHUNKS */ @@ -2993,7 +2993,7 @@ png_find_chunk_op(png_structrp png_ptr) # endif /* READ_USER_CHUNKS */ # ifdef PNG_SAVE_UNKNOWN_CHUNKS_SUPPORTED - /* There is no per-chunk special handling set for this chunk + /* There is no per-chunk special handling set for this chunk * (because of the test on known_unknown above) so only the * default unknown handling behavior matters. We skip the chunk * if the behavior is 'NEVER' or 'DEFAULT'. This is irrelevant @@ -3155,7 +3155,7 @@ combine_row(png_const_structrp png_ptr, png_bytep dp, png_const_bytep sp, * * The destination pointer (but not size) and how to handle intermediate * passes are arguments to the API. The destination is the pointer to the - * entire row buffer, not just the part from output[x] on. 'display' is + * entire row buffer, not just the part from output[x] on. 'display' is * interpreted as: * * 0: only overwrite destination pixels that will correspond to the source @@ -3304,7 +3304,7 @@ combine_row(png_const_structrp png_ptr, png_bytep dp, png_const_bytep sp, { /* Fill a byte with copies of the next pixel: */ unsigned int spixel_rep = spixel; - + # ifdef PNG_READ_PACKSWAP_SUPPORTED if (lsb) spixel_rep >>= spos; @@ -3396,7 +3396,7 @@ combine_row(png_const_structrp png_ptr, png_bytep dp, png_const_bytep sp, { /* Fill a byte with copies of the next pixel: */ unsigned int spixel_rep = spixel; - + # ifdef PNG_READ_PACKSWAP_SUPPORTED if (lsb) spixel_rep >>= spos; @@ -3760,8 +3760,8 @@ png_inflate_IDAT(png_structrp png_ptr, int finish, debug(png_ptr->zstream_ended); if (!finish) /* early end */ - break; - + break; + if (output_size > 0) /* incomplete read */ { if (finish == 2) /* looking for end; it has been found */ @@ -4225,7 +4225,7 @@ png_read_process_IDAT(png_structrp png_ptr, png_bytep transformed_row, PNG_ROWBYTES(pixel_depth, pixels); png_alloc_size_t cb; - + affirm(bytes_to_read > bytes_read); cb = png_inflate_IDAT(png_ptr, finish, pixel_buffer.buffer + bytes_read, @@ -4505,7 +4505,7 @@ png_read_finish_IDAT(png_structrp png_ptr) */ { int ret = inflateEnd(&png_ptr->zstream); - + /* In fact we expect this to always succeed, so it is a good idea to * catch it in pre-release builds: */ diff --git a/pngstruct.h b/pngstruct.h index 5343bde19..a562c75f0 100644 --- a/pngstruct.h +++ b/pngstruct.h @@ -325,7 +325,7 @@ typedef void (*png_transform_fn)(/* Function to implement a transform */ * and format as before. * * In the write case the transforms are called in the reverse order and - * the input bit depth and format should match the required values. + * the input bit depth and format should match the required values. * * It is valid during initialization for the transform function to push * another transform into the list in either the read or the write case if diff --git a/pngtrans.c b/pngtrans.c index f92c881e1..5ee0ab923 100644 --- a/pngtrans.c +++ b/pngtrans.c @@ -2228,7 +2228,7 @@ png_init_byte_ops(png_transformp *transform, png_transform_controlp tc) { unsigned int i = code_size; png_uint_32 code = 0U; - + while (i > 0U) { unsigned int next = codes[--i]; @@ -2256,7 +2256,7 @@ png_init_byte_ops(png_transformp *transform, png_transform_controlp tc) { unsigned int i = 0U; png_uint_32 code = 0U; - + while (i < code_size) { unsigned int next = codes[i++]; @@ -2295,7 +2295,7 @@ png_init_byte_ops(png_transformp *transform, png_transform_controlp tc) #ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED static void -png_init_rgb_to_gray_byte_ops(png_transformp *transform, +png_init_rgb_to_gray_byte_ops(png_transformp *transform, png_transform_controlp tc) { /* This just delay initializes the function; all the transform initialization @@ -2532,7 +2532,7 @@ set_filler(png_structrp png_ptr, png_uint_32 filler, int filler_loc, int alpha) png_add_transform(png_ptr, sizeof (png_transform_byte_op), png_init_byte_ops, PNG_TR_CHANNEL_POSTQ)); png_uint_32 args = PNG_BO_FILLER; - + if (filler_loc == PNG_FILLER_BEFORE) args |= PNG_BO_FILLER_FIRST; diff --git a/pngwrite.c b/pngwrite.c index bf06b89fd..afa065ce3 100644 --- a/pngwrite.c +++ b/pngwrite.c @@ -387,7 +387,7 @@ png_write_end(png_structrp png_ptr, png_inforp info_ptr) return; if ((png_ptr->mode & - (PNG_HAVE_IHDR+PNG_HAVE_IDAT+PNG_AFTER_IDAT+PNG_HAVE_IEND)) != + (PNG_HAVE_IHDR+PNG_HAVE_IDAT+PNG_AFTER_IDAT+PNG_HAVE_IEND)) != (PNG_HAVE_IHDR+PNG_HAVE_IDAT+PNG_AFTER_IDAT)) { /* Out of place png_write_end: */ @@ -676,7 +676,7 @@ write_row_buffered(png_structrp png_ptr, png_const_bytep row, { png_transform_control tc; - /* The initial values are the memory format, this was worked out in + /* The initial values are the memory format, this was worked out in * png_init_row_info below. */ memset(&tc, 0, sizeof tc); @@ -981,7 +981,7 @@ interlace_row(png_structrp png_ptr, png_const_bytep row) break; default: /* Parameter is the pixel size in bytes */ - write_row_buffered(png_ptr, row, + write_row_buffered(png_ptr, row, row_number == PNG_PASS_START_ROW(pass), last_pass_row, end_of_image, interlace_row_byte, input_depth >> 3); break; @@ -1038,7 +1038,7 @@ png_write_row(png_structrp png_ptr, png_const_bytep row) * It's just a warning at present. * * The test is that either the row_format produced by the write - * transforms exactly matches that in the original + * transforms exactly matches that in the original * info_struct::format or that the info_struct::format was a simple * mapping of the color_type that ended up in the IHDR: */ diff --git a/pngwutil.c b/pngwutil.c index c16826e84..37d54ae69 100644 --- a/pngwutil.c +++ b/pngwutil.c @@ -1971,7 +1971,7 @@ write_filtered_row(png_structrp png_ptr, png_const_bytep filtered_row, if (filter < PNG_FILTER_VALUE_LAST) /* start of row */ { png_byte buffer[1]; - + buffer[0] = filter; png_compress_IDAT(png_ptr, buffer, 1U/*len*/, Z_NO_FLUSH); }