[libpng15] Made the check for out-of-range values in png_set_tRNS() detect
values that are exactly 2^bit_depth, and work on 16-bit platforms.
diff --git a/ANNOUNCE b/ANNOUNCE
index fbd7ec0..b462c6a 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,5 +1,5 @@
-Libpng 1.5.22beta01 - December 29, 2014
+Libpng 1.5.22beta01 - January 13, 2015
This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version.
@@ -27,8 +27,10 @@
Changes since the last public release (1.5.21):
-Version 1.5.22beta01 [December 29, 2014]
+Version 1.5.22beta01 [January 13, 2015]
Regenerated configure scripts with libtool-2.4.4
+ Made the check for out-of-range values in png_set_tRNS() detect
+ values that are exactly 2^bit_depth, and work on 16-bit platforms.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
diff --git a/CHANGES b/CHANGES
index 4b86924..b5dec2b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4279,19 +4279,22 @@
Version 1.5.21rc01 [December 21, 2014]
Restored a test on width that was removed from png.c at libpng-1.6.9
- (Bug report by Alex Eubanks).
+ (Bug report by Alex Eubanks, CVE-2015-0973).
Version 1.5.21rc02 [December 21, 2014]
Undid the update to pngrutil.c in 1.6.16rc01.
Version 1.5.21rc03 [December 21, 2014]
- Fixed an overflow in png_combine_row with very wide interlaced images.
+ Fixed an overflow in png_combine_row with very wide interlaced images
+ (Bug report and fix by John Bowler, CVE-2014-9495).
Version 1.5.21 [December 22, 2014]
No changes.
-Version 1.5.22beta01 [December 29, 2014]
+Version 1.5.22beta01 [January 13, 2015]
Regenerated configure scripts with libtool-2.4.4
+ Made the check for out-of-range values in png_set_tRNS() detect
+ values that are exactly 2^bit_depth, and work on 16-bit platforms.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
diff --git a/pngset.c b/pngset.c
index e932ff7..64d452d 100644
--- a/pngset.c
+++ b/pngset.c
@@ -1,7 +1,7 @@
/* pngset.c - storage of image information into info struct
*
- * Last changed in libpng 1.5.20 [November 20, 2014]
+ * Last changed in libpng 1.5.22 [(PENDING RELEASE)]
* Copyright (c) 1998-2014 Glenn Randers-Pehrson
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -926,16 +926,19 @@
if (trans_color != NULL)
{
- int sample_max = (1 << info_ptr->bit_depth);
+ if (info_ptr->bit_depth < 16)
+ {
+ unsigned int sample_max = (1U << info_ptr->bit_depth) - 1U;
- if ((info_ptr->color_type == PNG_COLOR_TYPE_GRAY &&
- (int)trans_color->gray > sample_max) ||
- (info_ptr->color_type == PNG_COLOR_TYPE_RGB &&
- ((int)trans_color->red > sample_max ||
- (int)trans_color->green > sample_max ||
- (int)trans_color->blue > sample_max)))
- png_warning(png_ptr,
- "tRNS chunk has out-of-range samples for bit_depth");
+ if ((info_ptr->color_type == PNG_COLOR_TYPE_GRAY &&
+ trans_color->gray > sample_max) ||
+ (info_ptr->color_type == PNG_COLOR_TYPE_RGB &&
+ (trans_color->red > sample_max ||
+ trans_color->green > sample_max ||
+ trans_color->blue > sample_max)))
+ png_warning(png_ptr,
+ "tRNS chunk has out-of-range samples for bit_depth");
+ }
png_memcpy(&(info_ptr->trans_color), trans_color,
png_sizeof(png_color_16));
