[libpng17] Fixed two Coverity issues in pngcp.c.

ANNOUNCE

@@ -1,5 +1,5 @@
 
-Libpng 1.7.0beta82 - July 3, 2016
+Libpng 1.7.0beta82 - July 4, 2016
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -1380,7 +1380,7 @@ Version 1.7.0beta81 [June 11, 2016]
   Avoid potential overflow of the PNG_IMAGE_SIZE macro.  This macro
     is not used within libpng, but is used in some of the examples.
 
-Version 1.7.0beta82 [July 3, 2016]
+Version 1.7.0beta82 [July 4, 2016]
   Put the SKIP definition in the correct place. It needs to come after the
     png.h include (see all the other .c files in contrib/libtests) because it
     depends on PNG_LIBPNG_VER.
@@ -1388,6 +1388,7 @@ Version 1.7.0beta82 [July 3, 2016]
     with a pngcp.dfa configuration test (John Bowler)
   Added a "Common linking failures" section to the INSTALL document.
   Relocated misplaced #endif in png.c sRGB profile checking.
+  Fixed two Coverity issues in pngcp.c.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

CHANGES

@@ -5680,7 +5680,7 @@ Version 1.7.0beta81 [June 11, 2016]
   Avoid potential overflow of the PNG_IMAGE_SIZE macro.  This macro
     is not used within libpng, but is used in some of the examples.
 
-Version 1.7.0beta82 [July 3, 2016]
+Version 1.7.0beta82 [July 4, 2016]
   Put the SKIP definition in the correct place. It needs to come after the
     png.h include (see all the other .c files in contrib/libtests) because it
     depends on PNG_LIBPNG_VER.
@@ -5688,6 +5688,7 @@ Version 1.7.0beta82 [July 3, 2016]
     with a pngcp.dfa configuration test (John Bowler)
   Added a "Common linking failures" section to the INSTALL document.
   Relocated misplaced #endif in png.c sRGB profile checking.
+  Fixed two Coverity issues in pngcp.c.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

contrib/tools/pngcp.c

@@ -475,7 +475,7 @@ struct display
    char             curr[32*SL];       /* current options being tested */
    char             best[32*SL];       /* best options */
 
-   char             namebuf[FILENAME_MAX+1]; /* output file name */
+   char             namebuf[FILENAME_MAX]; /* output file name */
 };
 
 static void
@@ -1639,7 +1639,7 @@ makename(struct display *dp, const char *dir, const char *infile)
    {
       size_t dsize = strlen(dir);
 
-      if (dsize < FILENAME_MAX+2)
+      if (dsize <= (sizeof dp->namebuf)-2) /* Allow for name + '/' + '\0' */
       {
          size_t isize = strlen(infile);
          size_t istart = isize-1;
@@ -1659,7 +1659,7 @@ makename(struct display *dp, const char *dir, const char *infile)
          isize -= istart;
          infile += istart;
 
-         if (dsize+isize <= FILENAME_MAX)
+         if (dsize+isize < (sizeof dp->namebuf)) /* dsize + infile + '\0' */
          {
             memcpy(dp->namebuf+dsize, infile, isize+1);
 
@@ -1670,7 +1670,7 @@ makename(struct display *dp, const char *dir, const char *infile)
 
          else
          {
-            dp->namebuf[dsize] = 0;
+            dp->namebuf[dsize] = 0; /* allowed for: -2 at start */
             display_log(dp, USER_ERROR, "%s%s: output file name too long",
                   dp->namebuf, infile);
          }
@@ -1799,8 +1799,15 @@ read_png(struct display *dp, const char *filename)
    dp->bpp = png_get_bit_depth(dp->read_pp, dp->ip) *
              png_get_channels(dp->read_pp, dp->ip);
    {
+      /* png_get_rowbytes should never return 0 because the value is set by the
+       * first call to png_set_IHDR, which should have happened by now, but just
+       * in case:
+       */
       png_alloc_size_t rb = png_get_rowbytes(dp->read_pp, dp->ip);
 
+      if (rb == 0)
+         png_error(dp->read_pp, "invalid row byte count from libpng");
+
       /* The size calc can overflow. */
       if ((MAX_SIZE-dp->h)/rb < dp->h)
          png_error(dp->read_pp, "image too large");