[libpng17] Updated CHANGES and ANNOUNCE

ANNOUNCE

@@ -1,5 +1,5 @@
 
-Libpng 1.7.0beta77 - January 11, 2016
+Libpng 1.7.0beta77 - January 12, 2016
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -1172,7 +1172,7 @@ Version 1.7.0beta76 [January 7, 2016]
   Fixed new Coverity defect, potential NULL dereference of "ps" in pngwutil.c
   Added temporary workaround for Coverity "Dead code" defect.
 
-Version 1.7.0beta77 [January 11, 2016]
+Version 1.7.0beta77 [January 12, 2016]
   Fixed new Coverity defect, another NULL dereference of "ps" in pngwutil.c
   Prevent the CMINFO optimization code from running twice on any PNG IDAT
     stream longer than 2048 bytes; the second time could overwrite bytes
@@ -1200,6 +1200,18 @@ Version 1.7.0beta77 [January 11, 2016]
     that the latter should only affect the write code. This includes a
     quiet API change to alter png_set_compression_buffer_size to use
     a png_alloc_size_t, not png_size_t and implement the correct checks.
+  Fixed recently introduced palette sharing bug.  The internal read
+    code change to stop sharing the palette was incompletely implemented.
+    The result is that unless palette index checking is turned off and
+    there are no read transformations the png_info palette gets deleted
+    when the png_struct is deleted.  This is normally harmless (png_info
+    gets deleted first) but in the case of pngcp it results in
+    use-after-free of the palette and, therefore, palette corruption and
+    maybe on some operating systems and access violation.
+  Updated the pngcp 'search' mode to check a restricted range of memLevels;
+    there is an unrelated bug which means that lower zlib memLevels result
+    in memory corruption under some circumstances, probably less often
+    than 1:1000.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

CHANGES

@@ -5471,7 +5471,7 @@ Version 1.7.0beta76 [January 7, 2016]
   Fixed new Coverity defect, potential NULL dereference of "ps" in pngwutil.c
   Added temporary workaround for Coverity "Dead code" defect.
 
-Version 1.7.0beta77 [January 11, 2016]
+Version 1.7.0beta77 [January 12, 2016]
   Fixed new Coverity defect, another NULL dereference of "ps" in pngwutil.c
   Prevent the CMINFO optimization code from running twice on any PNG IDAT
     stream longer than 2048 bytes; the second time could overwrite bytes
@@ -5499,6 +5499,18 @@ Version 1.7.0beta77 [January 11, 2016]
     that the latter should only affect the write code. This includes a
     quiet API change to alter png_set_compression_buffer_size to use
     a png_alloc_size_t, not png_size_t and implement the correct checks.
+  Fixed recently introduced palette sharing bug.  The internal read
+    code change to stop sharing the palette was incompletely implemented.
+    The result is that unless palette index checking is turned off and
+    there are no read transformations the png_info palette gets deleted
+    when the png_struct is deleted.  This is normally harmless (png_info
+    gets deleted first) but in the case of pngcp it results in
+    use-after-free of the palette and, therefore, palette corruption and
+    maybe on some operating systems and access violation.
+  Updated the pngcp 'search' mode to check a restricted range of memLevels;
+    there is an unrelated bug which means that lower zlib memLevels result
+    in memory corruption under some circumstances, probably less often
+    than 1:1000.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit