[libpng17] Set counter to prevent additional attempts to cache a chunk

after running out of memory or reaching a potential overflow condition.

png.h

@@ -2284,7 +2284,7 @@ PNG_EXPORT(160, int, png_get_sPLT, (png_const_structrp png_ptr,
 #endif
 
 #ifdef PNG_sPLT_SUPPORTED
-PNG_EXPORT(161, void, png_set_sPLT, (png_const_structrp png_ptr,
+PNG_EXPORT(161, void, png_set_sPLT, (png_structrp png_ptr,
     png_inforp info_ptr, png_const_sPLT_tp entries, int nentries));
 #endif
 
@@ -2302,7 +2302,7 @@ PNG_EXPORT(162, int, png_get_text, (png_const_structrp png_ptr,
  */
 
 #ifdef PNG_TEXT_SUPPORTED
-PNG_EXPORT(163, void, png_set_text, (png_const_structrp png_ptr,
+PNG_EXPORT(163, void, png_set_text, (png_structrp png_ptr,
     png_inforp info_ptr, png_const_textp text_ptr, int num_text));
 #endif
 
@@ -2462,7 +2462,7 @@ PNG_EXPORT(173, int, png_handle_as_unknown, (png_const_structrp png_ptr,
 #endif
 
 #ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
-PNG_EXPORT(174, void, png_set_unknown_chunks, (png_const_structrp png_ptr,
+PNG_EXPORT(174, void, png_set_unknown_chunks, (png_structrp png_ptr,
     png_inforp info_ptr, png_const_unknown_chunkp unknowns,
     int num_unknowns));
    /* NOTE: prior to 1.6.0 this routine set the 'location' field of the added

pngmem.c

@@ -123,7 +123,7 @@ png_malloc_array,(png_const_structrp png_ptr, int nelements,
 }
 
 PNG_FUNCTION(png_voidp /* PRIVATE */,
-png_realloc_array,(png_const_structrp png_ptr, png_const_voidp old_array,
+png_realloc_array,(png_structrp png_ptr, png_const_voidp old_array,
    int old_elements, int add_elements, size_t element_size),PNG_ALLOCATED)
 {
    /* These are internal errors: */
@@ -154,6 +154,11 @@ png_realloc_array,(png_const_structrp png_ptr, png_const_voidp old_array,
       }
    }
 
+   /* The potential overflow case.  Set the cache counter so libpng will
+    * not make any more attempts
+    */
+   png_ptr->user_chunk_cache_max = 2;
+
    return NULL; /* error */
 }
 

pngpriv.h

@@ -762,7 +762,7 @@ PNG_INTERNAL_FUNCTION(png_voidp,png_malloc_array,(png_const_structrp png_ptr,
  * also memsets the new elements to 0 and copies the old elements.  The old
  * array is not freed or altered.
  */
-PNG_INTERNAL_FUNCTION(png_voidp,png_realloc_array,(png_const_structrp png_ptr,
+PNG_INTERNAL_FUNCTION(png_voidp,png_realloc_array,(png_structrp png_ptr,
    png_const_voidp array, int old_elements, int add_elements,
    size_t element_size),PNG_ALLOCATED);
 #endif /* text, sPLT or unknown chunks */
@@ -943,7 +943,7 @@ PNG_INTERNAL_FUNCTION(void,png_write_iTXt,(png_structrp png_ptr,
 #endif
 
 #ifdef PNG_TEXT_SUPPORTED  /* Added at version 1.0.14 and 1.2.4 */
-PNG_INTERNAL_FUNCTION(int,png_set_text_2,(png_const_structrp png_ptr,
+PNG_INTERNAL_FUNCTION(int,png_set_text_2,(png_structrp png_ptr,
     png_inforp info_ptr, png_const_textp text_ptr, int num_text),PNG_EMPTY);
 #endif
 

pngrutil.c

@@ -1658,8 +1658,8 @@ png_handle_sPLT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
 
    if (dl > max_dl)
    {
-       png_warning(png_ptr, "sPLT chunk too long");
-       return;
+      png_warning(png_ptr, "sPLT chunk too long");
+      return;
    }
 
    new_palette.nentries = (png_int_32)(data_length / entry_size);
@@ -1669,8 +1669,8 @@ png_handle_sPLT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
 
    if (new_palette.entries == NULL)
    {
-       png_warning(png_ptr, "sPLT chunk requires too much memory");
-       return;
+      png_warning(png_ptr, "sPLT chunk requires too much memory");
+      return;
    }
 
 #ifdef PNG_POINTER_INDEXING_SUPPORTED

pngset.c

@@ -678,7 +678,7 @@ png_set_iCCP(png_const_structrp png_ptr, png_inforp info_ptr,
 
 #ifdef PNG_TEXT_SUPPORTED
 void PNGAPI
-png_set_text(png_const_structrp png_ptr, png_inforp info_ptr,
+png_set_text(png_structrp png_ptr, png_inforp info_ptr,
     png_const_textp text_ptr, int num_text)
 {
    int ret;
@@ -689,7 +689,7 @@ png_set_text(png_const_structrp png_ptr, png_inforp info_ptr,
 }
 
 int /* PRIVATE */
-png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr,
+png_set_text_2(png_structrp png_ptr, png_inforp info_ptr,
     png_const_textp text_ptr, int num_text)
 {
    int i;
@@ -736,6 +736,7 @@ png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr,
       {
          png_chunk_report(png_ptr, "too many text chunks",
             PNG_CHUNK_WRITE_ERROR);
+
          return 1;
       }
 
@@ -1005,7 +1006,7 @@ png_set_tRNS(png_structrp png_ptr, png_inforp info_ptr,
 
 #ifdef PNG_sPLT_SUPPORTED
 void PNGAPI
-png_set_sPLT(png_const_structrp png_ptr,
+png_set_sPLT(png_structrp png_ptr,
     png_inforp info_ptr, png_const_sPLT_tp entries, int nentries)
 /*
  *  entries        - array of png_sPLT_t structures
@@ -1032,6 +1033,7 @@ png_set_sPLT(png_const_structrp png_ptr,
    {
       /* Out of memory or too many chunks */
       png_chunk_report(png_ptr, "too many sPLT chunks", PNG_CHUNK_WRITE_ERROR);
+
       return;
    }
 
@@ -1140,7 +1142,7 @@ check_location(png_const_structrp png_ptr, int location)
 }
 
 void PNGAPI
-png_set_unknown_chunks(png_const_structrp png_ptr,
+png_set_unknown_chunks(png_structrp png_ptr,
    png_inforp info_ptr, png_const_unknown_chunkp unknowns, int num_unknowns)
 {
    png_unknown_chunkp np;
@@ -1185,6 +1187,7 @@ png_set_unknown_chunks(png_const_structrp png_ptr,
    {
       png_chunk_report(png_ptr, "too many unknown chunks",
          PNG_CHUNK_WRITE_ERROR);
+
       return;
    }
 
@@ -1382,7 +1385,6 @@ png_set_keep_unknown_chunks(png_structrp png_ptr, int keep,
    if (num_chunks + old_num_chunks > UINT_MAX/5)
    {
       png_app_error(png_ptr, "png_set_keep_unknown_chunks: too many chunks");
-      return;
    }
 
    /* If these chunks are being reset to the default then no more memory is