[libpng15] Fixed bug in pngvalid on early allocation failure; fixed type cast
in pngmem.c; pngvalid would attempt to call png_error() if the allocation
of a png_struct or png_info failed. This would probably have led to a
crash. The pngmem.c implementation of png_malloc() included a cast
to png_size_t which would fail on large allocations on 16-bit systems.
diff --git a/ANNOUNCE b/ANNOUNCE
index 11520a2..31e1cbb 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -28,6 +28,11 @@
Version 1.5.7 [November 3, 2011]
Added support for ARM processor (Mans Rullgard)
+ Fixed bug in pngvalid on early allocation failure; fixed type cast in
+ pngmem.c; pngvalid would attempt to call png_error() if the allocation
+ of a png_struct or png_info failed. This would probably have led to a
+ crash. The pngmem.c implementation of png_malloc() included a cast
+ to png_size_t which would fail on large allocations on 16-bit systems.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net:
(subscription required; visit
diff --git a/CHANGES b/CHANGES
index 305ffea..cc2ebea 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3671,6 +3671,11 @@
Version 1.5.7 [November 3, 2011]
Added support for ARM processor (Mans Rullgard)
+ Fixed bug in pngvalid on early allocation failure; fixed type cast in
+ pngmem.c; pngvalid would attempt to call png_error() if the allocation
+ of a png_struct or png_info failed. This would probably have led to a
+ crash. The pngmem.c implementation of png_malloc() included a cast
+ to png_size_t which would fail on large allocations on 16-bit systems.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
diff --git a/pngmem.c b/pngmem.c
index ea606d6..756eb01 100644
--- a/pngmem.c
+++ b/pngmem.c
@@ -1,7 +1,7 @@
/* pngmem.c - stub functions for memory allocation
*
- * Last changed in libpng 1.5.4 [July 7, 2011]
+ * Last changed in libpng 1.5.7 [(PENDING RELEASE)]
* Copyright (c) 1998-2011 Glenn Randers-Pehrson
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -56,9 +56,9 @@
if (malloc_fn != NULL)
{
png_struct dummy_struct;
- png_structp png_ptr = &dummy_struct;
- png_ptr->mem_ptr=mem_ptr;
- struct_ptr = (*(malloc_fn))(png_ptr, (png_uint_32)size);
+ memset(&dummy_struct, 0, sizeof dummy_struct);
+ dummy_struct.mem_ptr=mem_ptr;
+ struct_ptr = (*(malloc_fn))(&dummy_struct, (png_alloc_size_t)size);
}
else
@@ -90,9 +90,9 @@
if (free_fn != NULL)
{
png_struct dummy_struct;
- png_structp png_ptr = &dummy_struct;
- png_ptr->mem_ptr=mem_ptr;
- (*(free_fn))(png_ptr, struct_ptr);
+ memset(&dummy_struct, 0, sizeof dummy_struct);
+ dummy_struct.mem_ptr=mem_ptr;
+ (*(free_fn))(&dummy_struct, struct_ptr);
return;
}
@@ -143,7 +143,7 @@
# ifdef PNG_USER_MEM_SUPPORTED
if (png_ptr->malloc_fn != NULL)
- ret = ((png_voidp)(*(png_ptr->malloc_fn))(png_ptr, (png_size_t)size));
+ ret = ((png_voidp)(*(png_ptr->malloc_fn))(png_ptr, size));
else
ret = (png_malloc_default(png_ptr, size));
diff --git a/pngpriv.h b/pngpriv.h
index d0b7180..a9e68d6 100644
--- a/pngpriv.h
+++ b/pngpriv.h
@@ -6,7 +6,7 @@
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
*
- * Last changed in libpng 1.5.6 [(PENDING RELEASE)]
+ * Last changed in libpng 1.5.7 [(PENDING RELEASE)]
*
* This code is released under the libpng license.
* For conditions of distribution and use, see the disclaimer
diff --git a/pngrutil.c b/pngrutil.c
index beb947b..fc96ca4 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -1,7 +1,7 @@
/* pngrutil.c - utilities to read a PNG file
*
- * Last changed in libpng 1.5.6 [(PENDING RELEASE)]
+ * Last changed in libpng 1.5.7 [(PENDING RELEASE)]
* Copyright (c) 1998-2011 Glenn Randers-Pehrson
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
diff --git a/pngvalid.c b/pngvalid.c
index 434ce53..14d198a 100644
--- a/pngvalid.c
+++ b/pngvalid.c
@@ -1,7 +1,7 @@
/* pngvalid.c - validate libpng by constructing then reading png files.
*
- * Last changed in libpng 1.5.6 [(PENDING RELEASE)]
+ * Last changed in libpng 1.5.7 [(PENDING RELEASE)]
* Copyright (c) 2011 Glenn Randers-Pehrson
* Written by John Cunningham Bowler
*
@@ -1332,7 +1332,21 @@
}
else
- store_pool_error(pool->store, pp, "out of memory");
+ {
+ /* NOTE: the PNG user malloc function cannot use the png_ptr it is passed
+ * other than to retrieve the allocation pointer! libpng calls the
+ * store_malloc callback in two basic cases:
+ *
+ * 1) From png_malloc; png_malloc will do a png_error itself if NULL is
+ * returned.
+ * 2) From png_struct or png_info structure creation; png_malloc is
+ * to return so cleanup can be performed.
+ *
+ * To handle this store_malloc can log a message, but can't do anything
+ * else.
+ */
+ store_log(pool->store, pp, "out of memory", 1 /* is_error */);
+ }
return new;
}
@@ -1343,6 +1357,14 @@
store_pool *pool = voidcast(store_pool*, png_get_mem_ptr(pp));
store_memory *this = voidcast(store_memory*, memory), **test;
+ /* Because libpng calls store_free with a dummy png_struct when deleting
+ * png_struct or png_info via png_destroy_struct_2 it is necessary to check
+ * the passed in png_structp to ensure it is valid, and not pass it to
+ * png_error if it is not.
+ */
+ if (pp != pool->store->pread && pp != pool->store->pwrite)
+ pp = NULL;
+
/* First check that this 'memory' really is valid memory - it must be in the
* pool list. If it is, use the shared memory_free function to free it.
*/