From 747cea57e346c89ee70924de99f9e0d231c7ce4f Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Tue, 13 Jan 2015 09:39:15 -0600 Subject: [PATCH] [libpng15] Made the check for out-of-range values in png_set_tRNS() detect values that are exactly 2^bit_depth, and work on 16-bit platforms. --- ANNOUNCE | 6 ++++-- CHANGES | 9 ++++++--- pngset.c | 23 +++++++++++++---------- 3 files changed, 23 insertions(+), 15 deletions(-) diff --git a/ANNOUNCE b/ANNOUNCE index fbd7ec013..b462c6aa1 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,5 +1,5 @@ -Libpng 1.5.22beta01 - December 29, 2014 +Libpng 1.5.22beta01 - January 13, 2015 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -27,8 +27,10 @@ Other information: Changes since the last public release (1.5.21): -Version 1.5.22beta01 [December 29, 2014] +Version 1.5.22beta01 [January 13, 2015] Regenerated configure scripts with libtool-2.4.4 + Made the check for out-of-range values in png_set_tRNS() detect + values that are exactly 2^bit_depth, and work on 16-bit platforms. Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/CHANGES b/CHANGES index 4b8692411..b5dec2b0b 100644 --- a/CHANGES +++ b/CHANGES @@ -4279,19 +4279,22 @@ Version 1.5.21beta01 [December 14, 2014] Version 1.5.21rc01 [December 21, 2014] Restored a test on width that was removed from png.c at libpng-1.6.9 - (Bug report by Alex Eubanks). + (Bug report by Alex Eubanks, CVE-2015-0973). Version 1.5.21rc02 [December 21, 2014] Undid the update to pngrutil.c in 1.6.16rc01. Version 1.5.21rc03 [December 21, 2014] - Fixed an overflow in png_combine_row with very wide interlaced images. + Fixed an overflow in png_combine_row with very wide interlaced images + (Bug report and fix by John Bowler, CVE-2014-9495). Version 1.5.21 [December 22, 2014] No changes. -Version 1.5.22beta01 [December 29, 2014] +Version 1.5.22beta01 [January 13, 2015] Regenerated configure scripts with libtool-2.4.4 + Made the check for out-of-range values in png_set_tRNS() detect + values that are exactly 2^bit_depth, and work on 16-bit platforms. Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/pngset.c b/pngset.c index e932ff7bf..64d452de7 100644 --- a/pngset.c +++ b/pngset.c @@ -1,7 +1,7 @@ /* pngset.c - storage of image information into info struct * - * Last changed in libpng 1.5.20 [November 20, 2014] + * Last changed in libpng 1.5.22 [(PENDING RELEASE)] * Copyright (c) 1998-2014 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) @@ -926,16 +926,19 @@ png_set_tRNS(png_structp png_ptr, png_infop info_ptr, if (trans_color != NULL) { - int sample_max = (1 << info_ptr->bit_depth); + if (info_ptr->bit_depth < 16) + { + unsigned int sample_max = (1U << info_ptr->bit_depth) - 1U; - if ((info_ptr->color_type == PNG_COLOR_TYPE_GRAY && - (int)trans_color->gray > sample_max) || - (info_ptr->color_type == PNG_COLOR_TYPE_RGB && - ((int)trans_color->red > sample_max || - (int)trans_color->green > sample_max || - (int)trans_color->blue > sample_max))) - png_warning(png_ptr, - "tRNS chunk has out-of-range samples for bit_depth"); + if ((info_ptr->color_type == PNG_COLOR_TYPE_GRAY && + trans_color->gray > sample_max) || + (info_ptr->color_type == PNG_COLOR_TYPE_RGB && + (trans_color->red > sample_max || + trans_color->green > sample_max || + trans_color->blue > sample_max))) + png_warning(png_ptr, + "tRNS chunk has out-of-range samples for bit_depth"); + } png_memcpy(&(info_ptr->trans_color), trans_color, png_sizeof(png_color_16));