[libpng17] Handle zero-length PLTE chunk or NULL palette with png_error()
instead of png_chunk_report(), which by default issues a warning
rather than an error, leading to later reading from a NULL pointer
(png_ptr->palette) in png_do_expand_palette().
diff --git a/ANNOUNCE b/ANNOUNCE
index 230005c..102da62 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,5 +1,5 @@
-Libpng 1.7.0beta24 - December 14, 2013
+Libpng 1.7.0beta24 - December 15, 2013
This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version.
@@ -437,7 +437,7 @@
This reverts to the previous 'static' implementation and works round
the 'unused static function' warning by using PNG_UNUSED().
-Version 1.7.0beta24 [December 14, 2013]
+Version 1.7.0beta24 [December 15, 2013]
Removed or marked PNG_UNUSED some harmless "dead assignments" reported
by clang scan-build.
Changed tabs to 3 spaces in png_debug macros and changed '"%s"m'
@@ -456,6 +456,10 @@
segment of the DLL by 1208 bytes, about 0.6%. It also simplifies
maintenance by removing the declarations from pngpriv.h and allowing
easier changes to the internal interfaces.
+ Handle zero-length PLTE chunk or NULL palette with png_error()
+ instead of png_chunk_report(), which by default issues a warning
+ rather than an error, leading to later reading from a NULL pointer
+ (png_ptr->palette) in png_do_expand_palette().
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
diff --git a/CHANGES b/CHANGES
index ff3778a..27a48f2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4726,7 +4726,7 @@
This reverts to the previous 'static' implementation and works round
the 'unused static function' warning by using PNG_UNUSED().
-Version 1.7.0beta24 [December 14, 2013]
+Version 1.7.0beta24 [December 15, 2013]
Removed or marked PNG_UNUSED some harmless "dead assignments" reported
by clang scan-build.
Changed tabs to 3 spaces in png_debug macros and changed '"%s"m'
@@ -4745,6 +4745,10 @@
segment of the DLL by 1208 bytes, about 0.6%. It also simplifies
maintenance by removing the declarations from pngpriv.h and allowing
easier changes to the internal interfaces.
+ Handle zero-length PLTE chunk or NULL palette with png_error()
+ instead of png_chunk_report(), which by default issues a warning
+ rather than an error, leading to later reading from a NULL pointer
+ (png_ptr->palette) in png_do_expand_palette().
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
diff --git a/pngrtran.c b/pngrtran.c
index bbddfad..4da0a22 100644
--- a/pngrtran.c
+++ b/pngrtran.c
@@ -1839,6 +1839,9 @@
info_ptr->bit_depth = 8;
info_ptr->num_trans = 0;
+
+ if (png_ptr->palette == NULL)
+ png_error (png_ptr, "Palette is NULL in indexed image");
}
else
{
diff --git a/pngset.c b/pngset.c
index 368e4a6..8076fc2 100644
--- a/pngset.c
+++ b/pngset.c
@@ -528,7 +528,7 @@
# endif
))
{
- png_chunk_report(png_ptr, "Invalid palette", PNG_CHUNK_ERROR);
+ png_error(png_ptr, "Invalid palette");
return;
}