[libpng15] Made the check for out-of-range values in png_set_tRNS() detect

values that are exactly 2^bit_depth, and work on 16-bit platforms.

ANNOUNCE

@@ -1,5 +1,5 @@
 
-Libpng 1.5.22beta01 - December 29, 2014
+Libpng 1.5.22beta01 - January 13, 2015
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -27,8 +27,10 @@ Other information:
 
 Changes since the last public release (1.5.21):
 
-Version 1.5.22beta01 [December 29, 2014]
+Version 1.5.22beta01 [January 13, 2015]
   Regenerated configure scripts with libtool-2.4.4
+  Made the check for out-of-range values in png_set_tRNS() detect
+    values that are exactly 2^bit_depth, and work on 16-bit platforms.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

CHANGES

@@ -4279,19 +4279,22 @@ Version 1.5.21beta01 [December 14, 2014]
 
 Version 1.5.21rc01 [December 21, 2014]
   Restored a test on width that was removed from png.c at libpng-1.6.9
-    (Bug report by Alex Eubanks).
+    (Bug report by Alex Eubanks, CVE-2015-0973).
 
 Version 1.5.21rc02 [December 21, 2014]
   Undid the update to pngrutil.c in 1.6.16rc01.
 
 Version 1.5.21rc03 [December 21, 2014]
-  Fixed an overflow in png_combine_row with very wide interlaced images.
+  Fixed an overflow in png_combine_row with very wide interlaced images
+    (Bug report and fix by John Bowler, CVE-2014-9495).
 
 Version 1.5.21 [December 22, 2014]
   No changes.
 
-Version 1.5.22beta01 [December 29, 2014]
+Version 1.5.22beta01 [January 13, 2015]
   Regenerated configure scripts with libtool-2.4.4
+  Made the check for out-of-range values in png_set_tRNS() detect
+    values that are exactly 2^bit_depth, and work on 16-bit platforms.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

pngset.c

@@ -1,7 +1,7 @@
 
 /* pngset.c - storage of image information into info struct
  *
- * Last changed in libpng 1.5.20 [November 20, 2014]
+ * Last changed in libpng 1.5.22 [(PENDING RELEASE)]
  * Copyright (c) 1998-2014 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -926,16 +926,19 @@ png_set_tRNS(png_structp png_ptr, png_infop info_ptr,
 
    if (trans_color != NULL)
    {
-      int sample_max = (1 << info_ptr->bit_depth);
+      if (info_ptr->bit_depth < 16)
+      {
+         unsigned int sample_max = (1U << info_ptr->bit_depth) - 1U;
 
-      if ((info_ptr->color_type == PNG_COLOR_TYPE_GRAY &&
+         if ((info_ptr->color_type == PNG_COLOR_TYPE_GRAY &&
-          (int)trans_color->gray > sample_max) ||
+             trans_color->gray > sample_max) ||
-          (info_ptr->color_type == PNG_COLOR_TYPE_RGB &&
+             (info_ptr->color_type == PNG_COLOR_TYPE_RGB &&
-          ((int)trans_color->red > sample_max ||
+             (trans_color->red > sample_max ||
-          (int)trans_color->green > sample_max ||
+             trans_color->green > sample_max ||
-          (int)trans_color->blue > sample_max)))
+             trans_color->blue > sample_max)))
-         png_warning(png_ptr,
+           png_warning(png_ptr,
-            "tRNS chunk has out-of-range samples for bit_depth");
+              "tRNS chunk has out-of-range samples for bit_depth");
+      }
 
       png_memcpy(&(info_ptr->trans_color), trans_color,
          png_sizeof(png_color_16));