[libpng16] Fix an off-by-one error in the palette index checking function.

ANNOUNCE

@@ -301,6 +301,7 @@ Version 1.6.0beta17 [March 10, 2012]
 Version 1.6.0beta18 [March 11, 2012]
   Issue a png_benign_error() instead of png_warning() about bad palette index.
   In pngtest, treat benign errors as errors if "-strict" is present.
+  Fix an off-by-one error in the palette index checking function.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

CHANGES

@@ -4052,6 +4052,7 @@ Version 1.6.0beta17 [March 10, 2012]
 Version 1.6.0beta18 [March 11, 2012]
   Issue a png_benign_error() instead of png_warning() about bad palette index.
   In pngtest, treat benign errors as errors if "-strict" is present.
+  Fix an off-by-one error in the palette index checking function.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

contrib/libtests/pngstest.c

@@ -2692,29 +2692,35 @@ compare_two_images(Image *a, Image *b, int via_linear,
       /* Only check colormap entries that actually exist; */
       png_const_bytep ppa, ppb;
       int match;
-      png_byte in_use[256];
+      png_byte in_use[256], amax = 0, bmax = 0;
 
       memset(in_use, 0, sizeof in_use);
 
       ppa = rowa;
       ppb = rowb;
 
-      /* Do this the slow way to accumulate the 'in_use' flags */
+      /* Do this the slow way to accumulate the 'in_use' flags, don't break out
+       * of the loop until the end; this validates the color-mapped data to
+       * ensure all pixels are valid color-map indexes.
+       */
       for (y=0, match=1; y<height && match; ++y, ppa += stridea, ppb += strideb)
       {
          png_uint_32 x;
 
          for (x=0; x<width; ++x)
          {
+            png_byte bval = ppb[x];
             png_byte aval = ppa[x];
 
-            if (aval != ppb[x])
+            if (bval > bmax)
-            {
+               bmax = bval;
+
+            if (bval != aval)
                match = 0;
-               break;
-            }
 
             in_use[aval] = 1;
+            if (aval > amax)
+               amax = aval;
          }
       }
 
@@ -2743,8 +2749,9 @@ compare_two_images(Image *a, Image *b, int via_linear,
             {
                if ((a->opts & ACCUMULATE) == 0)
                {
-                  char pindex[4];
+                  char pindex[9];
-                  sprintf(pindex, "%lu", (unsigned long)y);
+                  sprintf(pindex, "%lu[%lu]", (unsigned long)y,
+                     (unsigned long)a->image.colormap_entries);
                   logerror(a, a->file_name, ": bad pixel index: ", pindex);
                }
                result = 0;
@@ -2754,8 +2761,9 @@ compare_two_images(Image *a, Image *b, int via_linear,
             {
                if ((a->opts & ACCUMULATE) == 0)
                   {
-                  char pindex[4];
+                  char pindex[9];
-                  sprintf(pindex, "%lu", (unsigned long)y);
+                  sprintf(pindex, "%lu[%lu]", (unsigned long)y,
+                     (unsigned long)b->image.colormap_entries);
                   logerror(b, b->file_name, ": bad pixel index: ", pindex);
                   }
                result = 0;
@@ -2780,8 +2788,30 @@ compare_two_images(Image *a, Image *b, int via_linear,
       }
 
       /* else the image buffers don't match pixel-wise so compare sample values
-       * instead.
+       * instead, but first validate that the pixel indexes are in range (but
+       * only if not accumulating, when the error is ignored.)
        */
+      else if ((a->opts & ACCUMULATE) == 0)
+      {
+         /* Check the original image first,
+          * TODO: deal with input images with bad pixel values?
+          */
+         if (amax >= a->image.colormap_entries)
+         {
+            char pindex[9];
+            sprintf(pindex, "%d[%lu]", amax,
+               (unsigned long)a->image.colormap_entries);
+            return logerror(a, a->file_name, ": bad pixel index: ", pindex);
+         }
+
+         else if (bmax >= b->image.colormap_entries)
+         {
+            char pindex[9];
+            sprintf(pindex, "%d[%lu]", bmax,
+               (unsigned long)b->image.colormap_entries);
+            return logerror(b, b->file_name, ": bad pixel index: ", pindex);
+         }
+      }
    }
 
    /* We can directly compare pixel values without the need to use the read

png.h

@@ -1,7 +1,7 @@
 
 /* png.h - header file for PNG reference library
  *
- * libpng version 1.6.0beta18 - March 10, 2012
+ * libpng version 1.6.0beta18 - March 11, 2012
  * Copyright (c) 1998-2012 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -11,7 +11,7 @@
  * Authors and maintainers:
  *   libpng versions 0.71, May 1995, through 0.88, January 1996: Guy Schalnat
  *   libpng versions 0.89c, June 1996, through 0.96, May 1997: Andreas Dilger
- *   libpng versions 0.97, January 1998, through 1.6.0beta18 - March 10, 2012: Glenn
+ *   libpng versions 0.97, January 1998, through 1.6.0beta18 - March 11, 2012: Glenn
  *   See also "Contributing Authors", below.
  *
  * Note about libpng version numbers:
@@ -198,7 +198,7 @@
  *
  * This code is released under the libpng license.
  *
- * libpng versions 1.2.6, August 15, 2004, through 1.6.0beta18, March 10, 2012, are
+ * libpng versions 1.2.6, August 15, 2004, through 1.6.0beta18, March 11, 2012, are
  * Copyright (c) 2004, 2006-2012 Glenn Randers-Pehrson, and are
  * distributed according to the same disclaimer and license as libpng-1.2.5
  * with the following individual added to the list of Contributing Authors:
@@ -310,7 +310,7 @@
  * Y2K compliance in libpng:
  * =========================
  *
- *    March 10, 2012
+ *    March 11, 2012
  *
  *    Since the PNG Development group is an ad-hoc body, we can't make
  *    an official declaration.
@@ -376,7 +376,7 @@
 /* Version information for png.h - this should match the version in png.c */
 #define PNG_LIBPNG_VER_STRING "1.6.0beta18"
 #define PNG_HEADER_VERSION_STRING \
-     " libpng version 1.6.0beta18 - March 10, 2012\n"
+     " libpng version 1.6.0beta18 - March 11, 2012\n"
 
 #define PNG_LIBPNG_VER_SONUM   16
 #define PNG_LIBPNG_VER_DLLNUM  16
@@ -2929,7 +2929,7 @@ typedef struct
    (PNG_IMAGE_SAMPLE_SIZE((image).format) * (image).colormap_entries)
    /* Return the size, in bytes, of the color-map of this image.  If the image
     * format is not a color-map format this will return a size sufficient for
-    * 256 entries in the given format; check PNG_IMAGE_FORMAT_FLAG_COLORMAP if
+    * 256 entries in the given format; check PNG_FORMAT_FLAG_COLORMAP if
     * you don't want to allocate a color-map in this case.
     */
 

pngtrans.c

@@ -635,7 +635,7 @@ png_do_check_palette_indexes(png_structrp png_ptr, png_row_infop row_info)
        * forms produced on either GCC or MSVC.
        */
       int padding = (-row_info->pixel_depth * row_info->width) & 7;
-      png_bytep rp = png_ptr->row_buf + 1 + row_info->rowbytes;
+      png_bytep rp = png_ptr->row_buf + row_info->rowbytes;
 
       switch (row_info->bit_depth)
       {