mewin/libpng
1
0
Fork 0
mirror of https://git.code.sf.net/p/libpng/code.git synced 2025-07-10 18:04:09 +02:00
Code Issues Projects Releases Wiki Activity

[libpng17] Fixed bug recently introduced in png_set_PLTE() that uses png_ptr

Browse Source 
not info_ptr.
This commit is contained in:
Glenn Randers-Pehrson 2015-11-22 20:44:58 -06:00
parent 09c90236f4
commit 9eb14136d8
3 changed files with 10 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ANNOUNCE
View File

@ -1,5 +1,5 @@
Libpng 1.7.0beta69 - November 22, 2015 Libpng 1.7.0beta69 - November 23, 2015
This is not intended to be a public release. It will be replaced This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version. within a few weeks by a public version or by another test version.
@ -965,11 +965,13 @@ Version 1.7.0beta68 [November 12, 2015]
(bug report by Cosmin Truta). (bug report by Cosmin Truta).
Cleaned up coding style in png_handle_PLTE(). Cleaned up coding style in png_handle_PLTE().
Version 1.7.0beta69 [November 22, 2015] Version 1.7.0beta69 [November 23, 2015]
Avoid potential pointer overflow/underflow in png_handle_sPLT() and Avoid potential pointer overflow/underflow in png_handle_sPLT() and
png_handle_pCAL() (Bug report by John Regehr). png_handle_pCAL() (Bug report by John Regehr).
Avoid conditionally compiling parts of statements in png.c (suggested Avoid conditionally compiling parts of statements in png.c (suggested
by flaviommedeiros). by flaviommedeiros).
Fixed bug recently introduced in png_set_PLTE() that uses png_ptr
not info_ptr.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

4
CHANGES
View File

@ -5264,11 +5264,13 @@ Version 1.7.0beta68 [November 12, 2015]
(bug report by Cosmin Truta) (CVE-2015-8126). (bug report by Cosmin Truta) (CVE-2015-8126).
Cleaned up coding style in png_handle_PLTE(). Cleaned up coding style in png_handle_PLTE().
Version 1.7.0beta69 [November 22, 2015] Version 1.7.0beta69 [November 23, 2015]
Avoid potential pointer overflow/underflow in png_handle_sPLT() and Avoid potential pointer overflow/underflow in png_handle_sPLT() and
png_handle_pCAL() (Bug report by John Regehr). png_handle_pCAL() (Bug report by John Regehr).
Avoid conditionally compiling parts of statements in png.c (suggested Avoid conditionally compiling parts of statements in png.c (suggested
by flaviommedeiros). by flaviommedeiros).
Fixed bug recently introduced in png_set_PLTE() that uses png_ptr
not info_ptr.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

6
pngset.c
View File

@ -509,12 +509,12 @@ png_set_PLTE(png_structrp png_ptr, png_inforp info_ptr,
if (png_ptr == NULL || info_ptr == NULL) if (png_ptr == NULL || info_ptr == NULL)
return; return;
max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? max_palette_length = (info_ptr->format & PNG_FORMAT_FLAG_COLORMAP) == 0 ?
(1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; (1 << info_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
if (num_palette < 0 || num_palette > (int) max_palette_length) if (num_palette < 0 || num_palette > (int) max_palette_length)
{ {
if ((info_ptr->format == PNG_FORMAT_FLAG_COLORMAP) != 0) if ((info_ptr->format & PNG_FORMAT_FLAG_COLORMAP) != 0)
png_chunk_error(png_ptr, "Invalid palette length"); png_chunk_error(png_ptr, "Invalid palette length");
else else