Fix for serious write bugs in pngwutil.c

There are two separate problems. The first is that the CMINFO optimization code gets run twice on any PNG IDAT stream longer than 2048 bytes and the second time can overwrite bytes 2048,2049 destroying the output. The second is that one of the (debug) checks was slightly wrong (< when <= should have been used) and this causes write to abort maybe 1/2048 times. Signed-off-by: John Bowler <jbowler@acm.org>
2025-07-10 18:04:09 +02:00 · 2016-01-09 17:38:34 -08:00 · 2016-01-09 17:38:34 -08:00 · faf68f8d57
commit faf68f8d57
parent 09a1afbb3d
1 changed files with 6 additions and 2 deletions
--- a/pngwutil.c
+++ b/pngwutil.c
@ -2381,6 +2381,11 @@ png_write_IDAT(png_structrp png_ptr, int flush)
               debug((png_ptr->mode & PNG_HAVE_IDAT) != 0U);
 #        endif /* WRITE_OPTIMIZE_CMF */

+         /* Set this now to prevent the above happening again second time round
+          * the loop:
+          */
+         png_ptr->mode |= PNG_HAVE_IDAT;
+
         if (avail <= start+len)
         {
            /* Write all of this buffer: */
@ -2434,7 +2439,6 @@ png_write_IDAT(png_structrp png_ptr, int flush)
      while (len > 0U);

      png_write_chunk_end(png_ptr);
-      png_ptr->mode |= PNG_HAVE_IDAT;
   }

   /* avail == 0 && flush */
@ -3078,7 +3082,7 @@ png_zlib_filter_revert(png_structrp png_ptr, png_zlib_statep ps, png_byte i)
               pz->zs.next_out <= pz->list->output + (sizeof pz->list->output))
         {
            debug(pz->overflow == 0U &&
-                  pz->len + pz->start < (sizeof pz->list->output) &&
+                  pz->len + pz->start <= (sizeof pz->list->output) &&
                  pz->zs.next_out + pz->zs.avail_out ==
                     pz->list->output + (sizeof pz->list->output) &&
                  ps->s.zs.avail_out > pz->zs.avail_out);