From faf68f8d5725c521d419f6ba02a091fcb2c56418 Mon Sep 17 00:00:00 2001 From: John Bowler Date: Sat, 9 Jan 2016 17:38:34 -0800 Subject: [PATCH] Fix for serious write bugs in pngwutil.c There are two separate problems. The first is that the CMINFO optimization code gets run twice on any PNG IDAT stream longer than 2048 bytes and the second time can overwrite bytes 2048,2049 destroying the output. The second is that one of the (debug) checks was slightly wrong (< when <= should have been used) and this causes write to abort maybe 1/2048 times. Signed-off-by: John Bowler --- pngwutil.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/pngwutil.c b/pngwutil.c index 664ed8642..c51b0e096 100644 --- a/pngwutil.c +++ b/pngwutil.c @@ -2381,6 +2381,11 @@ png_write_IDAT(png_structrp png_ptr, int flush) debug((png_ptr->mode & PNG_HAVE_IDAT) != 0U); # endif /* WRITE_OPTIMIZE_CMF */ + /* Set this now to prevent the above happening again second time round + * the loop: + */ + png_ptr->mode |= PNG_HAVE_IDAT; + if (avail <= start+len) { /* Write all of this buffer: */ @@ -2434,7 +2439,6 @@ png_write_IDAT(png_structrp png_ptr, int flush) while (len > 0U); png_write_chunk_end(png_ptr); - png_ptr->mode |= PNG_HAVE_IDAT; } /* avail == 0 && flush */ @@ -3078,7 +3082,7 @@ png_zlib_filter_revert(png_structrp png_ptr, png_zlib_statep ps, png_byte i) pz->zs.next_out <= pz->list->output + (sizeof pz->list->output)) { debug(pz->overflow == 0U && - pz->len + pz->start < (sizeof pz->list->output) && + pz->len + pz->start <= (sizeof pz->list->output) && pz->zs.next_out + pz->zs.avail_out == pz->list->output + (sizeof pz->list->output) && ps->s.zs.avail_out > pz->zs.avail_out);