From d2b9af04ac843c86ffec6daa0ae0561b30d467d2 Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Mon, 28 Aug 2017 11:58:11 -0500 Subject: [PATCH] [libpng16] Fixed off-by-one error in png_do_check_palette_indexes() (Bug report by Mick P., Source Forge Issue #269). --- ANNOUNCE | 2 ++ CHANGES | 2 ++ pngtrans.c | 2 +- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ANNOUNCE b/ANNOUNCE index 78a6faf52..9e36cb304 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -27,6 +27,8 @@ Changes since the last public release (1.6.32): Added PNGMINUS_UNUSED macro to contrib/pngminus/p*.c and added missing parenthesis in contrib/pngminus/pnm2png.c (bug report by Christian Hesse). Free row_ptr in PNG_CLEANUP macro in contrib/oss-fuzz/libpng_read_fuzzer.cc + Fixed off-by-one error in png_do_check_palette_indexes() (Bug report + by Mick P., Source Forge Issue #269). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/CHANGES b/CHANGES index 612577b39..a5530f80b 100644 --- a/CHANGES +++ b/CHANGES @@ -5998,6 +5998,8 @@ Version 1.6.33beta01 [August 28, 2017] Added PNGMINUS_UNUSED macro to contrib/pngminus/p*.c and added missing parenthesis in contrib/pngminus/pnm2png.c (bug report by Christian Hesse). Free row_ptr in PNG_CLEANUP macro in contrib/oss-fuzz/libpng_read_fuzzer.cc + Fixed off-by-one error in png_do_check_palette_indexes() (Bug report + by Mick P., Source Forge Issue #269). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/pngtrans.c b/pngtrans.c index 326ac33f0..065855ce8 100644 --- a/pngtrans.c +++ b/pngtrans.c @@ -708,7 +708,7 @@ png_do_check_palette_indexes(png_structrp png_ptr, png_row_infop row_info) * forms produced on either GCC or MSVC. */ int padding = PNG_PADBITS(row_info->pixel_depth, row_info->width); - png_bytep rp = png_ptr->row_buf + row_info->rowbytes; + png_bytep rp = png_ptr->row_buf + row_info->rowbytes - 1; switch (row_info->bit_depth) {