[libpng16] Nullify trans_color with out-of-range value, to stop oss-fuzz issue.
diff --git a/ANNOUNCE b/ANNOUNCE
index cdce43d..b40645c 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,4 +1,4 @@
-Libpng 1.6.35beta01 - October 12, 2017
+Libpng 1.6.35beta01 - October 15, 2017
This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version.
@@ -24,11 +24,12 @@
Changes since the last public release (1.6.34):
-Version 1.6.35beta01 [October 12, 2017]
+Version 1.6.35beta01 [October 15, 2017]
Restored 21 of the contrib/pngsuite/i*.png, which do not cause test
failures. Placed the remainder in contrib/pngsuite/interlaced/i*.png.
Added calls to png_set_*() transforms commonly used by browsers to
the fuzzer.
+ Nullify trans_color with out-of-range value.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
diff --git a/CHANGES b/CHANGES
index 047e988..6fa30dc 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6040,11 +6040,12 @@
Version 1.6.34 [September 29, 2017]
Removed contrib/pngsuite/i*.png; some of caused test failures.
-Version 1.6.35beta01 [October 12, 2017]
+Version 1.6.35beta01 [October 15, 2017]
Restored 21 of the contrib/pngsuite/i*.png, which do not cause test
failures. Placed the remainder in contrib/pngsuite/interlaced/i*.png.
Added calls to png_set_*() transforms commonly used by browsers to
the fuzzer.
+ Nullify trans_color with out-of-range value.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
diff --git a/pngset.c b/pngset.c
index 6f3a1ee..d2ee44f 100644
--- a/pngset.c
+++ b/pngset.c
@@ -1025,7 +1025,6 @@
if (trans_color != NULL)
{
-#ifdef PNG_WARNINGS_SUPPORTED
if (info_ptr->bit_depth < 16)
{
int sample_max = (1 << info_ptr->bit_depth) - 1;
@@ -1036,14 +1035,16 @@
(trans_color->red > sample_max ||
trans_color->green > sample_max ||
trans_color->blue > sample_max)))
+ {
png_warning(png_ptr,
"tRNS chunk has out-of-range samples for bit_depth");
+ trans_color = NULL;
+ }
}
-#endif
info_ptr->trans_color = *trans_color;
- if (num_trans == 0)
+ if (num_trans == 0 && trans_color != NULL)
num_trans = 1;
}