[libpng16] Check for invalid palette index while reading paletted PNG. When
one is found, issue a warning and increase png_ptr->num_palette accordingly.
Apps are responsible for checking to see if that happened.
diff --git a/ANNOUNCE b/ANNOUNCE
index 45801c7..1d3110b 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,5 +1,5 @@
-Libpng 1.6.0beta11 - February 13, 2012
+Libpng 1.6.0beta11 - February 17, 2012
This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version.
@@ -176,7 +176,7 @@
Updated the prebuilt configure files to current condition.
Revised INSTALL information about autogen.sh; it works in tar distributions.
-Version 1.6.0beta11 [February 13, 2012]
+Version 1.6.0beta11 [February 17, 2012]
Fix character count in pngstest command in projects/owatcom/pngstest.tgt
Revised test-pngstest.sh to report PASS/FAIL for each image.
Updated documentation about the simplified API.
@@ -207,6 +207,9 @@
produces warnings from gcc with some warning options (including -Wall). The
fix is to cause png.h to declare the functions with PNG_INTERNAL_FUNCTION
when png.h is included from pngpriv.h.
+ Check for invalid palette index while reading paletted PNG. When one is
+ found, issue a warning and increase png_ptr->num_palette accordingly.
+ Apps are responsible for checking to see if that happened.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
diff --git a/CHANGES b/CHANGES
index 01a8c38..ee5b5ef 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3927,7 +3927,7 @@
Updated the prebuilt configure files to current condition.
Revised INSTALL information about autogen.sh; it works in tar distributions.
-Version 1.6.0beta11 [February 13, 2012]
+Version 1.6.0beta11 [February 17, 2012]
Fix character count in pngstest command in projects/owatcom/pngstest.tgt
Revised test-pngstest.sh to report PASS/FAIL for each image.
Updated documentation about the simplified API.
@@ -3958,6 +3958,9 @@
produces warnings from gcc with some warning options (including -Wall). The
fix is to cause png.h to declare the functions with PNG_INTERNAL_FUNCTION
when png.h is included from pngpriv.h.
+ Check for invalid palette index while reading paletted PNG. When one is
+ found, issue a warning and increase png_ptr->num_palette accordingly.
+ Apps are responsible for checking to see if that happened.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
diff --git a/pngread.c b/pngread.c
index 4560ca9..54138bb 100644
--- a/pngread.c
+++ b/pngread.c
@@ -523,6 +523,27 @@
png_error(png_ptr, "bad adaptive filter value");
}
+ if ((png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) &&
+ (png_ptr->num_palette < (1 << png_ptr->bit_depth)))
+ {
+ if ((png_ptr->interlaced && png_ptr->pass == 6) ||
+ (!png_ptr->interlaced && png_ptr->pass == 0))
+ {
+ png_uint_32 i;
+ png_bytep rp = png_ptr->row_buf+1;
+
+ for (i = 0; i <= row_info.rowbytes; i++)
+ {
+ if (*rp >= png_ptr->num_palette)
+ {
+ png_warning(png_ptr,"Found invalid palette index");
+ png_ptr->num_palette=*rp;
+ }
+ rp++;
+ }
+ }
+ }
+
/* libpng 1.5.6: the following line was copying png_ptr->rowbytes before
* 1.5.6, while the buffer really is this big in current versions of libpng
* it may not be in the future, so this was changed just to copy the
@@ -585,6 +606,7 @@
if (png_ptr->read_row_fn != NULL)
(*(png_ptr->read_row_fn))(png_ptr, png_ptr->row_number, png_ptr->pass);
+
}
#endif /* PNG_SEQUENTIAL_READ_SUPPORTED */
