diff --git a/png.h b/png.h index e0b477867..522268487 100644 --- a/png.h +++ b/png.h @@ -2284,7 +2284,7 @@ PNG_EXPORT(160, int, png_get_sPLT, (png_const_structrp png_ptr, #endif #ifdef PNG_sPLT_SUPPORTED -PNG_EXPORT(161, void, png_set_sPLT, (png_const_structrp png_ptr, +PNG_EXPORT(161, void, png_set_sPLT, (png_structrp png_ptr, png_inforp info_ptr, png_const_sPLT_tp entries, int nentries)); #endif @@ -2302,7 +2302,7 @@ PNG_EXPORT(162, int, png_get_text, (png_const_structrp png_ptr, */ #ifdef PNG_TEXT_SUPPORTED -PNG_EXPORT(163, void, png_set_text, (png_const_structrp png_ptr, +PNG_EXPORT(163, void, png_set_text, (png_structrp png_ptr, png_inforp info_ptr, png_const_textp text_ptr, int num_text)); #endif @@ -2462,7 +2462,7 @@ PNG_EXPORT(173, int, png_handle_as_unknown, (png_const_structrp png_ptr, #endif #ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED -PNG_EXPORT(174, void, png_set_unknown_chunks, (png_const_structrp png_ptr, +PNG_EXPORT(174, void, png_set_unknown_chunks, (png_structrp png_ptr, png_inforp info_ptr, png_const_unknown_chunkp unknowns, int num_unknowns)); /* NOTE: prior to 1.6.0 this routine set the 'location' field of the added diff --git a/pngmem.c b/pngmem.c index 178ed8e79..7fcb1dc6d 100644 --- a/pngmem.c +++ b/pngmem.c @@ -123,7 +123,7 @@ png_malloc_array,(png_const_structrp png_ptr, int nelements, } PNG_FUNCTION(png_voidp /* PRIVATE */, -png_realloc_array,(png_const_structrp png_ptr, png_const_voidp old_array, +png_realloc_array,(png_structrp png_ptr, png_const_voidp old_array, int old_elements, int add_elements, size_t element_size),PNG_ALLOCATED) { /* These are internal errors: */ @@ -154,6 +154,11 @@ png_realloc_array,(png_const_structrp png_ptr, png_const_voidp old_array, } } + /* The potential overflow case. Set the cache counter so libpng will + * not make any more attempts + */ + png_ptr->user_chunk_cache_max = 2; + return NULL; /* error */ } diff --git a/pngpriv.h b/pngpriv.h index dbd7244b9..c677dfca1 100644 --- a/pngpriv.h +++ b/pngpriv.h @@ -762,7 +762,7 @@ PNG_INTERNAL_FUNCTION(png_voidp,png_malloc_array,(png_const_structrp png_ptr, * also memsets the new elements to 0 and copies the old elements. The old * array is not freed or altered. */ -PNG_INTERNAL_FUNCTION(png_voidp,png_realloc_array,(png_const_structrp png_ptr, +PNG_INTERNAL_FUNCTION(png_voidp,png_realloc_array,(png_structrp png_ptr, png_const_voidp array, int old_elements, int add_elements, size_t element_size),PNG_ALLOCATED); #endif /* text, sPLT or unknown chunks */ @@ -943,7 +943,7 @@ PNG_INTERNAL_FUNCTION(void,png_write_iTXt,(png_structrp png_ptr, #endif #ifdef PNG_TEXT_SUPPORTED /* Added at version 1.0.14 and 1.2.4 */ -PNG_INTERNAL_FUNCTION(int,png_set_text_2,(png_const_structrp png_ptr, +PNG_INTERNAL_FUNCTION(int,png_set_text_2,(png_structrp png_ptr, png_inforp info_ptr, png_const_textp text_ptr, int num_text),PNG_EMPTY); #endif diff --git a/pngrutil.c b/pngrutil.c index da9e24386..6118e6de8 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -1658,8 +1658,8 @@ png_handle_sPLT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) if (dl > max_dl) { - png_warning(png_ptr, "sPLT chunk too long"); - return; + png_warning(png_ptr, "sPLT chunk too long"); + return; } new_palette.nentries = (png_int_32)(data_length / entry_size); @@ -1669,8 +1669,8 @@ png_handle_sPLT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) if (new_palette.entries == NULL) { - png_warning(png_ptr, "sPLT chunk requires too much memory"); - return; + png_warning(png_ptr, "sPLT chunk requires too much memory"); + return; } #ifdef PNG_POINTER_INDEXING_SUPPORTED diff --git a/pngset.c b/pngset.c index 7b9555aa1..f4e03ec36 100644 --- a/pngset.c +++ b/pngset.c @@ -678,7 +678,7 @@ png_set_iCCP(png_const_structrp png_ptr, png_inforp info_ptr, #ifdef PNG_TEXT_SUPPORTED void PNGAPI -png_set_text(png_const_structrp png_ptr, png_inforp info_ptr, +png_set_text(png_structrp png_ptr, png_inforp info_ptr, png_const_textp text_ptr, int num_text) { int ret; @@ -689,7 +689,7 @@ png_set_text(png_const_structrp png_ptr, png_inforp info_ptr, } int /* PRIVATE */ -png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr, +png_set_text_2(png_structrp png_ptr, png_inforp info_ptr, png_const_textp text_ptr, int num_text) { int i; @@ -736,6 +736,7 @@ png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr, { png_chunk_report(png_ptr, "too many text chunks", PNG_CHUNK_WRITE_ERROR); + return 1; } @@ -1005,7 +1006,7 @@ png_set_tRNS(png_structrp png_ptr, png_inforp info_ptr, #ifdef PNG_sPLT_SUPPORTED void PNGAPI -png_set_sPLT(png_const_structrp png_ptr, +png_set_sPLT(png_structrp png_ptr, png_inforp info_ptr, png_const_sPLT_tp entries, int nentries) /* * entries - array of png_sPLT_t structures @@ -1032,6 +1033,7 @@ png_set_sPLT(png_const_structrp png_ptr, { /* Out of memory or too many chunks */ png_chunk_report(png_ptr, "too many sPLT chunks", PNG_CHUNK_WRITE_ERROR); + return; } @@ -1140,7 +1142,7 @@ check_location(png_const_structrp png_ptr, int location) } void PNGAPI -png_set_unknown_chunks(png_const_structrp png_ptr, +png_set_unknown_chunks(png_structrp png_ptr, png_inforp info_ptr, png_const_unknown_chunkp unknowns, int num_unknowns) { png_unknown_chunkp np; @@ -1185,6 +1187,7 @@ png_set_unknown_chunks(png_const_structrp png_ptr, { png_chunk_report(png_ptr, "too many unknown chunks", PNG_CHUNK_WRITE_ERROR); + return; } @@ -1382,7 +1385,6 @@ png_set_keep_unknown_chunks(png_structrp png_ptr, int keep, if (num_chunks + old_num_chunks > UINT_MAX/5) { png_app_error(png_ptr, "png_set_keep_unknown_chunks: too many chunks"); - return; } /* If these chunks are being reset to the default then no more memory is