John Bowler 3d024874a5 Recently introduced palette sharing bug ...

The internal read code change to stop sharing the palette was incompletely
implemented.  The result is that unless palette index checking is turned off and
there are no read transformations the png_info palette gets deleted when the
png_struct is deleted.  This is normally harmless (png_info gets deleted first)
but in the case of pngcp it results in use-after-free of the palette and,
therefore, palette corruption and maybe on some operating systems and access
violation.

This also updated pngcp 'search' mode to check a restricted range of memLevels;
there is an unrelated bug which means that lower zlib memLevels result in memory
corruption under some circumstances, probably less often than 1:1000.

Signed-off-by: John Bowler <jbowler@acm.org>

2016-01-12 09:36:10 -08:00

56 KiB

Raw Blame History

View Raw