From 7a6bbfd649fb35645a3b1c5f6428dadba86b1fc9 Mon Sep 17 00:00:00 2001 From: John Bowler Date: Sun, 21 Dec 2014 16:40:33 -0600 Subject: [PATCH] [libpng15] Fixed an overflow in png_combine_row with very wide interlaced images. --- ANNOUNCE | 23 +++++++++++++---------- CHANGES | 3 +++ pngrutil.c | 6 +++--- 3 files changed, 19 insertions(+), 13 deletions(-) diff --git a/ANNOUNCE b/ANNOUNCE index 4ac7b55d3..d5448b79f 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,5 +1,5 @@ -Libpng 1.5.21rc02 - December 21, 2014 +Libpng 1.5.21rc03 - December 21, 2014 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -9,21 +9,21 @@ Files available for download: Source files with LF line endings (for Unix/Linux) and with a "configure" script - 1.5.21rc02.tar.xz (LZMA-compressed, recommended) - 1.5.21rc02.tar.gz - 1.5.21rc02.tar.bz2 + 1.5.21rc03.tar.xz (LZMA-compressed, recommended) + 1.5.21rc03.tar.gz + 1.5.21rc03.tar.bz2 Source files with CRLF line endings (for Windows), without the "configure" script - lp1521r02.7z (LZMA-compressed, recommended) - lp1521r02.zip + lp1521r03.7z (LZMA-compressed, recommended) + lp1521r03.zip Other information: - 1.5.21rc02-README.txt - 1.5.21rc02-LICENSE.txt - libpng-1.5.21rc02-*.asc (armored detached GPG signatures) + 1.5.21rc03-README.txt + 1.5.21rc03-LICENSE.txt + libpng-1.5.21rc03-*.asc (armored detached GPG signatures) Changes since the last public release (1.5.20): @@ -36,7 +36,10 @@ Version 1.5.21rc01 [December 21, 2014] (Bug report by Alex Eubanks). Version 1.5.21rc02 [December 21, 2014] - Undid the update to pngrutil.c in 1.6.16rc01. + Undid the update to pngrutil.c in 1.5.21rc01. + +Version 1.5.21rc03 [December 21, 2014] + Fixed an overflow in png_combine_row with very wide interlaced images. Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/CHANGES b/CHANGES index 2c0cebaba..41e66e61d 100644 --- a/CHANGES +++ b/CHANGES @@ -4284,6 +4284,9 @@ Version 1.5.21rc01 [December 21, 2014] Version 1.5.21rc02 [December 21, 2014] Undid the update to pngrutil.c in 1.6.16rc01. +Version 1.5.21rc03 [December 21, 2014] + Fixed an overflow in png_combine_row with very wide interlaced images. + Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement diff --git a/pngrutil.c b/pngrutil.c index 6b32fa6cc..3a017ade9 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -2805,7 +2805,7 @@ png_combine_row(png_structp png_ptr, png_bytep dp, int display) { unsigned int pixel_depth = png_ptr->transformed_pixel_depth; png_const_bytep sp = png_ptr->row_buf + 1; - png_uint_32 row_width = png_ptr->width; + png_alloc_size_t row_width = png_ptr->width; unsigned int pass = png_ptr->pass; png_bytep end_ptr = 0; png_byte end_byte = 0; @@ -3078,7 +3078,7 @@ png_combine_row(png_structp png_ptr, png_bytep dp, int display) /* But don't allow this number to exceed the actual row width. */ if (bytes_to_copy > row_width) - bytes_to_copy = row_width; + bytes_to_copy = (unsigned int)/*SAFE*/row_width; } else /* normal row; Adam7 only ever gives us one pixel to copy. */ @@ -3256,7 +3256,7 @@ png_combine_row(png_structp png_ptr, png_bytep dp, int display) dp += bytes_to_jump; row_width -= bytes_to_jump; if (bytes_to_copy > row_width) - bytes_to_copy = row_width; + bytes_to_copy = (unsigned int)/*SAFE*/row_width; } }