diff -ru4NwbB libpng-1.5.9/Makefile.am libpng-1.5.10/Makefile.am --- libpng-1.5.9/Makefile.am 2012-02-18 14:31:22.668324704 -0600 +++ libpng-1.5.10/Makefile.am 2012-03-29 00:07:02.313855348 -0500 @@ -37,9 +37,9 @@ # EXTRA_LTLIBRARIES= libpng.la libpng@PNGLIB_MAJOR@@PNGLIB_MINOR@_la_SOURCES = png.c pngerror.c\ pngget.c pngmem.c pngpread.c pngread.c pngrio.c pngrtran.c pngrutil.c\ pngset.c pngtrans.c pngwio.c pngwrite.c pngwtran.c pngwutil.c\ - png.h pngconf.h pngdebug.h pnginfo.h pngpriv.h pngstruct.h + png.h pngconf.h pngdebug.h pnginfo.h pngpriv.h pngstruct.h pngusr.dfa if PNG_ARM_NEON libpng@PNGLIB_MAJOR@@PNGLIB_MINOR@_la_SOURCES += arm/filter_neon.S endif @@ -152,13 +152,13 @@ rm -f dfn.c dfn[12].out mv dfn3.out $@ # The .dfn file for pnglibconf.h is machine generated -pnglibconf.dfn: scripts/pnglibconf.dfa scripts/options.awk pngconf.h +pnglibconf.dfn: scripts/pnglibconf.dfa scripts/options.awk pngconf.h pngusr.dfa $(DFA_XTRA) rm -f $@ dfn?.out $(AWK) -f ${srcdir}/scripts/options.awk out=dfn1.out version=search\ ${srcdir}/pngconf.h ${srcdir}/scripts/pnglibconf.dfa\ - $(DFA_XTRA) 1>&2 + ${srcdir}/pngusr.dfa $(DFA_XTRA) 1>&2 $(AWK) -f ${srcdir}/scripts/options.awk out=dfn2.out dfn1.out 1>&2 rm dfn1.out mv dfn2.out $@ diff -ru4NwbB libpng-1.5.9/example.c libpng-1.5.10/example.c --- libpng-1.5.9/example.c 2012-02-18 14:31:14.341842946 -0600 +++ libpng-1.5.10/example.c 2012-03-29 00:06:54.523193383 -0500 @@ -1,10 +1,10 @@ #if 0 /* in case someone actually tries to compile this */ /* example.c - an example of using libpng - * Last changed in libpng 1.5.7 [December 15, 2011] - * Maintained 1998-2011 Glenn Randers-Pehrson + * Last changed in libpng 1.5.10 [March 8, 2012] + * Maintained 1998-2012 Glenn Randers-Pehrson * Maintained 1996, 1997 Andreas Dilger * Written 1995, 1996 Guy Eric Schalnat, Group 42, Inc. */ @@ -694,27 +694,40 @@ */ png_set_gAMA(png_ptr, info_ptr, gamma); /* Optionally write comments into the image */ - text_ptr[0].key = "Title"; - text_ptr[0].text = "Mona Lisa"; + { + png_text text_ptr[3]; + + char key0[]="Title"; + char text0[]="Mona Lisa"; + text_ptr[0].key = key0; + text_ptr[0].text = text0; text_ptr[0].compression = PNG_TEXT_COMPRESSION_NONE; text_ptr[0].itxt_length = 0; text_ptr[0].lang = NULL; text_ptr[0].lang_key = NULL; - text_ptr[1].key = "Author"; - text_ptr[1].text = "Leonardo DaVinci"; + + char key1[]="Author"; + char text1[]="Leonardo DaVinci"; + text_ptr[1].key = key1; + text_ptr[1].text = text1; text_ptr[1].compression = PNG_TEXT_COMPRESSION_NONE; text_ptr[1].itxt_length = 0; text_ptr[1].lang = NULL; text_ptr[1].lang_key = NULL; - text_ptr[2].key = "Description"; - text_ptr[2].text = ""; + + char key2[]="Description"; + char text2[]=""; + text_ptr[2].key = key2; + text_ptr[2].text = text2; text_ptr[2].compression = PNG_TEXT_COMPRESSION_zTXt; text_ptr[2].itxt_length = 0; text_ptr[2].lang = NULL; text_ptr[2].lang_key = NULL; - png_set_text(png_ptr, info_ptr, text_ptr, 3); + + png_set_text(write_ptr, write_info_ptr, text_ptr, 3); + } /* Other optional chunks like cHRM, bKGD, tRNS, tIME, oFFs, pHYs */ /* Note that if sRGB is present the gAMA and cHRM chunks must be ignored diff -ru4NwbB libpng-1.5.9/png.c libpng-1.5.10/png.c --- libpng-1.5.9/png.c 2012-02-18 14:31:14.354818263 -0600 +++ libpng-1.5.10/png.c 2012-03-29 00:06:54.535945504 -0500 @@ -1,9 +1,9 @@ /* png.c - location for general purpose libpng functions * - * Last changed in libpng 1.5.7 [December 15, 2011] - * Copyright (c) 1998-2011 Glenn Randers-Pehrson + * Last changed in libpng 1.5.10 [March 8, 2012] + * Copyright (c) 1998-2012 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * * This code is released under the libpng license. @@ -1466,9 +1466,9 @@ static double png_pow10(int power) { int recip = 0; - double d = 1; + double d = 1.0; /* Handle negative exponent with a reciprocal at the end because * 10 is exact whereas .1 is inexact in base 2 */ @@ -1480,9 +1480,9 @@ if (power > 0) { /* Decompose power bitwise. */ - double mult = 10; + double mult = 10.0; do { if (power & 1) d *= mult; mult *= mult; @@ -1599,9 +1599,10 @@ do { double d; - fp *= 10; + fp *= 10.0; + /* Use modf here, not floor and subtract, so that * the separation is done in one step. At the end * of the loop don't break the number into parts so * that the final digit is rounded. @@ -1612,9 +1613,9 @@ else { d = floor(fp + .5); - if (d > 9) + if (d > 9.0) { /* Rounding up to 10, handle that here. */ if (czero > 0) { @@ -1620,11 +1621,12 @@ { --czero, d = 1; if (cdigits == 0) --clead; } + else { - while (cdigits > 0 && d > 9) + while (cdigits > 0 && d > 9.0) { int ch = *--ascii; if (exp_b10 != (-1)) @@ -1647,9 +1649,9 @@ /* Did we reach the beginning? If so adjust the * exponent but take into account the leading * decimal point. */ - if (d > 9) /* cdigits == 0 */ + if (d > 9.0) /* cdigits == 0 */ { if (exp_b10 == (-1)) { /* Leading decimal point (plus zeros?), if @@ -1668,16 +1670,16 @@ else ++exp_b10; /* In all cases we output a '1' */ - d = 1; + d = 1.0; } } } fp = 0; /* Guarantees termination below. */ } - if (d == 0) + if (d == 0.0) { ++czero; if (cdigits == 0) ++clead; } diff -ru4NwbB libpng-1.5.9/png.h libpng-1.5.10/png.h --- libpng-1.5.9/png.h 2012-02-18 14:31:14.298366030 -0600 +++ libpng-1.5.10/png.h 2012-03-29 00:06:54.479097811 -0500 @@ -171,8 +171,10 @@ * 1.5.8 15 10508 15.so.15.8[.0] * 1.5.9beta01-02 15 10509 15.so.15.9[.0] * 1.5.9rc01 15 10509 15.so.15.9[.0] * 1.5.9 15 10509 15.so.15.9[.0] + * 1.5.10beta01-05 15 10510 15.so.15.10[.0] + * 1.5.10 15 10510 15.so.15.10[.0] * * Henceforth the source version will match the shared-library major * and minor numbers; the shared-library major version number will be * used for changes in backward compatibility, as it is intended. The @@ -180,9 +182,9 @@ * for applications, is an unsigned integer of the form xyyzz corresponding * to the source version x.y.z (leading zeros in y and z). Beta versions * were given the previous public release number plus a letter, until * version 1.0.6j; from then on they were given the upcoming public - * release number plus "betaNN" or "rcN". + * release number plus "betaNN" or "rcNN". * * Binary incompatibility exists only when applications make direct access * to the info_ptr or png_ptr members through png.h, and the compiled * application is loaded with a different version of the library. @@ -411,9 +413,9 @@ PNG_LIBPNG_BUILD_SPECIAL */ #define PNG_LIBPNG_BUILD_SPECIAL 32 /* Cannot be OR'ed with PNG_LIBPNG_BUILD_PRIVATE */ -#define PNG_LIBPNG_BUILD_BASE_TYPE PNG_LIBPNG_BUILD_BETA +#define PNG_LIBPNG_BUILD_BASE_TYPE %BUILDTYPE% /* Careful here. At one time, Guy wanted to use 082, but that would be octal. * We must not include leading zeros. * Versions 0.7 through 1.0.0 were in the range 0 to 100 here (only @@ -2636,8 +2638,14 @@ ? -((png_int_32)((png_get_uint_32(buf) ^ 0xffffffffL) + 1)) \ : (png_int_32)png_get_uint_32(buf))) #endif +#if defined(PNG_READ_CHECK_FOR_INVALID_INDEX_SUPPORTED) || \ + defined(PNG_WRITE_CHECK_FOR_INVALID_INDEX_SUPPORTED) +PNG_EXPORT(234, void, png_set_check_for_invalid_index, (png_structp png_ptr, + int allowed)); +#endif + /* Maintainer: Put new public prototypes here ^, in libpng.3, and project * defs */ @@ -2645,9 +2653,9 @@ * one to use is one more than this.) Maintainer, remember to add an entry to * scripts/symbols.def as well. */ #ifdef PNG_EXPORT_LAST_ORDINAL - PNG_EXPORT_LAST_ORDINAL(233); + PNG_EXPORT_LAST_ORDINAL(234); #endif #ifdef __cplusplus } diff -ru4NwbB libpng-1.5.9/pngconf.h libpng-1.5.10/pngconf.h --- libpng-1.5.9/pngconf.h 2012-02-18 14:31:14.305696450 -0600 +++ libpng-1.5.10/pngconf.h 2012-03-29 00:06:54.486609529 -0500 @@ -50,10 +50,10 @@ #endif /* This controls optimization of the reading of 16 and 32 bit values * from PNG files. It can be set on a per-app-file basis - it - * just changes whether a macro is used to the function is called. - * The library builder sets the default, if read functions are not + * just changes whether a macro is used when the function is called. + * The library builder sets the default; if read functions are not * built into the library the macro implementation is forced on. */ #ifndef PNG_READ_INT_FUNCTIONS_SUPPORTED # define PNG_USE_READ_MACROS diff -ru4NwbB libpng-1.5.9/pngpread.c libpng-1.5.10/pngpread.c --- libpng-1.5.9/pngpread.c 2012-02-18 14:31:14.386797595 -0600 +++ libpng-1.5.10/pngpread.c 2012-03-29 00:06:54.567379144 -0500 @@ -1,9 +1,9 @@ /* pngpread.c - read a png file in push mode * - * Last changed in libpng 1.5.9 [March 29, 2012] - * Copyright (c) 1998-2011 Glenn Randers-Pehrson + * Last changed in libpng 1.5.9 [February 18, 2012] + * Copyright (c) 1998-2012 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * * This code is released under the libpng license. @@ -127,32 +127,8 @@ png_push_read_IDAT(png_ptr); break; } -#ifdef PNG_READ_tEXt_SUPPORTED - case PNG_READ_tEXt_MODE: - { - png_push_read_tEXt(png_ptr, info_ptr); - break; - } - -#endif -#ifdef PNG_READ_zTXt_SUPPORTED - case PNG_READ_zTXt_MODE: - { - png_push_read_zTXt(png_ptr, info_ptr); - break; - } - -#endif -#ifdef PNG_READ_iTXt_SUPPORTED - case PNG_READ_iTXt_MODE: - { - png_push_read_iTXt(png_ptr, info_ptr); - break; - } - -#endif case PNG_SKIP_MODE: { png_push_crc_finish(png_ptr); break; @@ -542,9 +519,9 @@ png_push_save_buffer(png_ptr); return; } - png_push_handle_tEXt(png_ptr, info_ptr, png_ptr->push_length); + png_handle_tEXt(png_ptr, info_ptr, png_ptr->push_length); } #endif #ifdef PNG_READ_zTXt_SUPPORTED @@ -555,9 +532,9 @@ png_push_save_buffer(png_ptr); return; } - png_push_handle_zTXt(png_ptr, info_ptr, png_ptr->push_length); + png_handle_zTXt(png_ptr, info_ptr, png_ptr->push_length); } #endif #ifdef PNG_READ_iTXt_SUPPORTED @@ -568,9 +545,9 @@ png_push_save_buffer(png_ptr); return; } - png_push_handle_iTXt(png_ptr, info_ptr, png_ptr->push_length); + png_handle_iTXt(png_ptr, info_ptr, png_ptr->push_length); } #endif else @@ -579,9 +556,9 @@ { png_push_save_buffer(png_ptr); return; } - png_push_handle_unknown(png_ptr, info_ptr, png_ptr->push_length); + png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length); } png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER; } @@ -1262,523 +1248,8 @@ } #endif /* PNG_READ_INTERLACING_SUPPORTED */ } -#ifdef PNG_READ_tEXt_SUPPORTED -void /* PRIVATE */ -png_push_handle_tEXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 - length) -{ - if (!(png_ptr->mode & PNG_HAVE_IHDR) || (png_ptr->mode & PNG_HAVE_IEND)) - { - PNG_UNUSED(info_ptr) /* To quiet some compiler warnings */ - png_error(png_ptr, "Out of place tEXt"); - /* NOT REACHED */ - } - -#ifdef PNG_MAX_MALLOC_64K - png_ptr->skip_length = 0; /* This may not be necessary */ - - if (length > (png_uint_32)65535L) /* Can't hold entire string in memory */ - { - png_warning(png_ptr, "tEXt chunk too large to fit in memory"); - png_ptr->skip_length = length - (png_uint_32)65535L; - length = (png_uint_32)65535L; - } -#endif - - png_ptr->current_text = (png_charp)png_malloc(png_ptr, length + 1); - png_ptr->current_text[length] = '\0'; - png_ptr->current_text_ptr = png_ptr->current_text; - png_ptr->current_text_size = (png_size_t)length; - png_ptr->current_text_left = (png_size_t)length; - png_ptr->process_mode = PNG_READ_tEXt_MODE; -} - -void /* PRIVATE */ -png_push_read_tEXt(png_structp png_ptr, png_infop info_ptr) -{ - if (png_ptr->buffer_size && png_ptr->current_text_left) - { - png_size_t text_size; - - if (png_ptr->buffer_size < png_ptr->current_text_left) - text_size = png_ptr->buffer_size; - - else - text_size = png_ptr->current_text_left; - - png_crc_read(png_ptr, (png_bytep)png_ptr->current_text_ptr, text_size); - png_ptr->current_text_left -= text_size; - png_ptr->current_text_ptr += text_size; - } - if (!(png_ptr->current_text_left)) - { - png_textp text_ptr; - png_charp text; - png_charp key; - int ret; - - if (png_ptr->buffer_size < 4) - { - png_push_save_buffer(png_ptr); - return; - } - - png_push_crc_finish(png_ptr); - -#ifdef PNG_MAX_MALLOC_64K - if (png_ptr->skip_length) - return; -#endif - - key = png_ptr->current_text; - - for (text = key; *text; text++) - /* Empty loop */ ; - - if (text < key + png_ptr->current_text_size) - text++; - - text_ptr = (png_textp)png_malloc(png_ptr, png_sizeof(png_text)); - text_ptr->compression = PNG_TEXT_COMPRESSION_NONE; - text_ptr->key = key; - text_ptr->itxt_length = 0; - text_ptr->lang = NULL; - text_ptr->lang_key = NULL; - text_ptr->text = text; - - ret = png_set_text_2(png_ptr, info_ptr, text_ptr, 1); - - png_free(png_ptr, key); - png_free(png_ptr, text_ptr); - png_ptr->current_text = NULL; - - if (ret) - png_warning(png_ptr, "Insufficient memory to store text chunk"); - } -} -#endif - -#ifdef PNG_READ_zTXt_SUPPORTED -void /* PRIVATE */ -png_push_handle_zTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 - length) -{ - if (!(png_ptr->mode & PNG_HAVE_IHDR) || (png_ptr->mode & PNG_HAVE_IEND)) - { - PNG_UNUSED(info_ptr) /* To quiet some compiler warnings */ - png_error(png_ptr, "Out of place zTXt"); - /* NOT REACHED */ - } - -#ifdef PNG_MAX_MALLOC_64K - /* We can't handle zTXt chunks > 64K, since we don't have enough space - * to be able to store the uncompressed data. Actually, the threshold - * is probably around 32K, but it isn't as definite as 64K is. - */ - if (length > (png_uint_32)65535L) - { - png_warning(png_ptr, "zTXt chunk too large to fit in memory"); - png_push_crc_skip(png_ptr, length); - return; - } -#endif - - png_ptr->current_text = (png_charp)png_malloc(png_ptr, length + 1); - png_ptr->current_text[length] = '\0'; - png_ptr->current_text_ptr = png_ptr->current_text; - png_ptr->current_text_size = (png_size_t)length; - png_ptr->current_text_left = (png_size_t)length; - png_ptr->process_mode = PNG_READ_zTXt_MODE; -} - -void /* PRIVATE */ -png_push_read_zTXt(png_structp png_ptr, png_infop info_ptr) -{ - if (png_ptr->buffer_size && png_ptr->current_text_left) - { - png_size_t text_size; - - if (png_ptr->buffer_size < (png_uint_32)png_ptr->current_text_left) - text_size = png_ptr->buffer_size; - - else - text_size = png_ptr->current_text_left; - - png_crc_read(png_ptr, (png_bytep)png_ptr->current_text_ptr, text_size); - png_ptr->current_text_left -= text_size; - png_ptr->current_text_ptr += text_size; - } - if (!(png_ptr->current_text_left)) - { - png_textp text_ptr; - png_charp text; - png_charp key; - int ret; - png_size_t text_size, key_size; - - if (png_ptr->buffer_size < 4) - { - png_push_save_buffer(png_ptr); - return; - } - - png_push_crc_finish(png_ptr); - - key = png_ptr->current_text; - - for (text = key; *text; text++) - /* Empty loop */ ; - - /* zTXt can't have zero text */ - if (text >= key + png_ptr->current_text_size) - { - png_ptr->current_text = NULL; - png_free(png_ptr, key); - return; - } - - text++; - - if (*text != PNG_TEXT_COMPRESSION_zTXt) /* Check compression byte */ - { - png_ptr->current_text = NULL; - png_free(png_ptr, key); - return; - } - - text++; - - png_ptr->zstream.next_in = (png_bytep)text; - png_ptr->zstream.avail_in = (uInt)(png_ptr->current_text_size - - (text - key)); - png_ptr->zstream.next_out = png_ptr->zbuf; - png_ptr->zstream.avail_out = (uInt)png_ptr->zbuf_size; - - key_size = text - key; - text_size = 0; - text = NULL; - ret = Z_STREAM_END; - - while (png_ptr->zstream.avail_in) - { - ret = inflate(&png_ptr->zstream, Z_PARTIAL_FLUSH); - if (ret != Z_OK && ret != Z_STREAM_END) - { - inflateReset(&png_ptr->zstream); - png_ptr->zstream.avail_in = 0; - png_ptr->current_text = NULL; - png_free(png_ptr, key); - png_free(png_ptr, text); - return; - } - - if (!(png_ptr->zstream.avail_out) || ret == Z_STREAM_END) - { - if (text == NULL) - { - text = (png_charp)png_malloc(png_ptr, - (png_ptr->zbuf_size - - png_ptr->zstream.avail_out + key_size + 1)); - - png_memcpy(text + key_size, png_ptr->zbuf, - png_ptr->zbuf_size - png_ptr->zstream.avail_out); - - png_memcpy(text, key, key_size); - - text_size = key_size + png_ptr->zbuf_size - - png_ptr->zstream.avail_out; - - *(text + text_size) = '\0'; - } - - else - { - png_charp tmp; - - tmp = text; - text = (png_charp)png_malloc(png_ptr, text_size + - (png_ptr->zbuf_size - - png_ptr->zstream.avail_out + 1)); - - png_memcpy(text, tmp, text_size); - png_free(png_ptr, tmp); - - png_memcpy(text + text_size, png_ptr->zbuf, - png_ptr->zbuf_size - png_ptr->zstream.avail_out); - - text_size += png_ptr->zbuf_size - png_ptr->zstream.avail_out; - *(text + text_size) = '\0'; - } - - if (ret != Z_STREAM_END) - { - png_ptr->zstream.next_out = png_ptr->zbuf; - png_ptr->zstream.avail_out = (uInt)png_ptr->zbuf_size; - } - } - else - { - break; - } - - if (ret == Z_STREAM_END) - break; - } - - inflateReset(&png_ptr->zstream); - png_ptr->zstream.avail_in = 0; - - if (ret != Z_STREAM_END) - { - png_ptr->current_text = NULL; - png_free(png_ptr, key); - png_free(png_ptr, text); - return; - } - - png_ptr->current_text = NULL; - png_free(png_ptr, key); - key = text; - text += key_size; - - text_ptr = (png_textp)png_malloc(png_ptr, - png_sizeof(png_text)); - text_ptr->compression = PNG_TEXT_COMPRESSION_zTXt; - text_ptr->key = key; - text_ptr->itxt_length = 0; - text_ptr->lang = NULL; - text_ptr->lang_key = NULL; - text_ptr->text = text; - - ret = png_set_text_2(png_ptr, info_ptr, text_ptr, 1); - - png_free(png_ptr, key); - png_free(png_ptr, text_ptr); - - if (ret) - png_warning(png_ptr, "Insufficient memory to store text chunk"); - } -} -#endif - -#ifdef PNG_READ_iTXt_SUPPORTED -void /* PRIVATE */ -png_push_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 - length) -{ - if (!(png_ptr->mode & PNG_HAVE_IHDR) || (png_ptr->mode & PNG_HAVE_IEND)) - { - PNG_UNUSED(info_ptr) /* To quiet some compiler warnings */ - png_error(png_ptr, "Out of place iTXt"); - /* NOT REACHED */ - } - -#ifdef PNG_MAX_MALLOC_64K - png_ptr->skip_length = 0; /* This may not be necessary */ - - if (length > (png_uint_32)65535L) /* Can't hold entire string in memory */ - { - png_warning(png_ptr, "iTXt chunk too large to fit in memory"); - png_ptr->skip_length = length - (png_uint_32)65535L; - length = (png_uint_32)65535L; - } -#endif - - png_ptr->current_text = (png_charp)png_malloc(png_ptr, length + 1); - png_ptr->current_text[length] = '\0'; - png_ptr->current_text_ptr = png_ptr->current_text; - png_ptr->current_text_size = (png_size_t)length; - png_ptr->current_text_left = (png_size_t)length; - png_ptr->process_mode = PNG_READ_iTXt_MODE; -} - -void /* PRIVATE */ -png_push_read_iTXt(png_structp png_ptr, png_infop info_ptr) -{ - - if (png_ptr->buffer_size && png_ptr->current_text_left) - { - png_size_t text_size; - - if (png_ptr->buffer_size < png_ptr->current_text_left) - text_size = png_ptr->buffer_size; - - else - text_size = png_ptr->current_text_left; - - png_crc_read(png_ptr, (png_bytep)png_ptr->current_text_ptr, text_size); - png_ptr->current_text_left -= text_size; - png_ptr->current_text_ptr += text_size; - } - - if (!(png_ptr->current_text_left)) - { - png_textp text_ptr; - png_charp key; - int comp_flag; - png_charp lang; - png_charp lang_key; - png_charp text; - int ret; - - if (png_ptr->buffer_size < 4) - { - png_push_save_buffer(png_ptr); - return; - } - - png_push_crc_finish(png_ptr); - -#ifdef PNG_MAX_MALLOC_64K - if (png_ptr->skip_length) - return; -#endif - - key = png_ptr->current_text; - - for (lang = key; *lang; lang++) - /* Empty loop */ ; - - if (lang < key + png_ptr->current_text_size - 3) - lang++; - - comp_flag = *lang++; - lang++; /* Skip comp_type, always zero */ - - for (lang_key = lang; *lang_key; lang_key++) - /* Empty loop */ ; - - lang_key++; /* Skip NUL separator */ - - text=lang_key; - - if (lang_key < key + png_ptr->current_text_size - 1) - { - for (; *text; text++) - /* Empty loop */ ; - } - - if (text < key + png_ptr->current_text_size) - text++; - - text_ptr = (png_textp)png_malloc(png_ptr, - png_sizeof(png_text)); - - text_ptr->compression = comp_flag + 2; - text_ptr->key = key; - text_ptr->lang = lang; - text_ptr->lang_key = lang_key; - text_ptr->text = text; - text_ptr->text_length = 0; - text_ptr->itxt_length = png_strlen(text); - - ret = png_set_text_2(png_ptr, info_ptr, text_ptr, 1); - - png_ptr->current_text = NULL; - - png_free(png_ptr, text_ptr); - if (ret) - png_warning(png_ptr, "Insufficient memory to store iTXt chunk"); - } -} -#endif - -/* This function is called when we haven't found a handler for this - * chunk. If there isn't a problem with the chunk itself (ie a bad chunk - * name or a critical chunk), the chunk is (currently) silently ignored. - */ -void /* PRIVATE */ -png_push_handle_unknown(png_structp png_ptr, png_infop info_ptr, png_uint_32 - length) -{ - png_uint_32 skip = 0; - png_uint_32 chunk_name = png_ptr->chunk_name; - - if (PNG_CHUNK_CRITICAL(chunk_name)) - { -#ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED - if (png_chunk_unknown_handling(png_ptr, chunk_name) != - PNG_HANDLE_CHUNK_ALWAYS -#ifdef PNG_READ_USER_CHUNKS_SUPPORTED - && png_ptr->read_user_chunk_fn == NULL -#endif - ) -#endif - png_chunk_error(png_ptr, "unknown critical chunk"); - - PNG_UNUSED(info_ptr) /* To quiet some compiler warnings */ - } - -#ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED - /* TODO: the code below is apparently just using the - * png_struct::unknown_chunk member as a temporarily variable, it should be - * possible to eliminate both it and the temporary buffer. - */ - if (png_ptr->flags & PNG_FLAG_KEEP_UNKNOWN_CHUNKS) - { -#ifdef PNG_MAX_MALLOC_64K - if (length > 65535) - { - png_warning(png_ptr, "unknown chunk too large to fit in memory"); - skip = length - 65535; - length = 65535; - } -#endif - /* This is just a record for the user; libpng doesn't use the character - * form of the name. - */ - PNG_CSTRING_FROM_CHUNK(png_ptr->unknown_chunk.name, png_ptr->chunk_name); - - png_ptr->unknown_chunk.size = length; - - if (length == 0) - png_ptr->unknown_chunk.data = NULL; - - else - { - png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, - png_ptr->unknown_chunk.size); - png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, - png_ptr->unknown_chunk.size); - } - -#ifdef PNG_READ_USER_CHUNKS_SUPPORTED - if (png_ptr->read_user_chunk_fn != NULL) - { - /* Callback to user unknown chunk handler */ - int ret; - ret = (*(png_ptr->read_user_chunk_fn)) - (png_ptr, &png_ptr->unknown_chunk); - - if (ret < 0) - png_chunk_error(png_ptr, "error in user chunk"); - - if (ret == 0) - { - if (PNG_CHUNK_CRITICAL(png_ptr->chunk_name)) - if (png_chunk_unknown_handling(png_ptr, chunk_name) != - PNG_HANDLE_CHUNK_ALWAYS) - png_chunk_error(png_ptr, "unknown critical chunk"); - png_set_unknown_chunks(png_ptr, info_ptr, - &png_ptr->unknown_chunk, 1); - } - } - - else -#endif - png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1); - png_free(png_ptr, png_ptr->unknown_chunk.data); - png_ptr->unknown_chunk.data = NULL; - } - - else -#endif - skip=length; - png_push_crc_skip(png_ptr, skip); -} - void /* PRIVATE */ png_push_have_info(png_structp png_ptr, png_infop info_ptr) { if (png_ptr->info_fn != NULL) diff -ru4NwbB libpng-1.5.9/pngpriv.h libpng-1.5.10/pngpriv.h --- libpng-1.5.9/pngpriv.h 2012-02-18 14:31:14.315902138 -0600 +++ libpng-1.5.10/pngpriv.h 2012-03-29 00:06:54.496932731 -0500 @@ -1,13 +1,13 @@ /* pngpriv.h - private declarations for use inside libpng * * For conditions of distribution and use, see copyright notice in png.h - * Copyright (c) 1998-2011 Glenn Randers-Pehrson + * Copyright (c) 1998-2012 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * - * Last changed in libpng 1.5.7 [December 15, 2011] + * Last changed in libpng 1.5.10 [March 29, 2012] * * This code is released under the libpng license. * For conditions of distribution and use, see the disclaimer * and license in png.h @@ -132,8 +132,48 @@ #ifndef PNG_DLL_EXPORT # define PNG_DLL_EXPORT #endif +/* SECURITY and SAFETY: + * + * By default libpng is built without any internal limits on image size, + * individual heap (png_malloc) allocations or the total amount of memory used. + * If PNG_SAFE_LIMITS_SUPPORTED is defined, however, the limits below are used + * (unless individually overridden). These limits are believed to be fairly + * safe, but builders of secure systems should verify the values against the + * real system capabilities. + */ + +#ifdef PNG_SAFE_LIMITS_SUPPORTED + /* 'safe' limits */ +# ifndef PNG_USER_WIDTH_MAX +# define PNG_USER_WIDTH_MAX 1000000 +# endif +# ifndef PNG_USER_HEIGHT_MAX +# define PNG_USER_HEIGHT_MAX 1000000 +# endif +# ifndef PNG_USER_CHUNK_CACHE_MAX +# define PNG_USER_CHUNK_CACHE_MAX 128 +# endif +# ifndef PNG_USER_CHUNK_MALLOC_MAX +# define PNG_USER_CHUNK_MALLOC_MAX 8000000 +# endif +#else + /* values for no limits */ +# ifndef PNG_USER_WIDTH_MAX +# define PNG_USER_WIDTH_MAX 0x7fffffff +# endif +# ifndef PNG_USER_HEIGHT_MAX +# define PNG_USER_HEIGHT_MAX 0x7fffffff +# endif +# ifndef PNG_USER_CHUNK_CACHE_MAX +# define PNG_USER_CHUNK_CACHE_MAX 0 +# endif +# ifndef PNG_USER_CHUNK_MALLOC_MAX +# define PNG_USER_CHUNK_MALLOC_MAX 0 +# endif +#endif + /* This is used for 16 bit gamma tables - only the top level pointers are const, * this could be changed: */ typedef PNG_CONST png_uint_16p FAR * png_const_uint_16pp; @@ -425,8 +465,9 @@ #define PNG_WROTE_INFO_BEFORE_PLTE 0x400 #define PNG_BACKGROUND_IS_GRAY 0x800 #define PNG_HAVE_PNG_SIGNATURE 0x1000 #define PNG_HAVE_CHUNK_AFTER_IDAT 0x2000 /* Have another chunk after IDAT */ +#define PNG_HAVE_iCCP 0x4000 /* Flags for the transformations the PNG library does on the image data */ #define PNG_BGR 0x0001 #define PNG_INTERLACE 0x0002 @@ -1354,8 +1395,15 @@ png_uint_32 width, png_uint_32 height, int bit_depth, int color_type, int interlace_type, int compression_type, int filter_type)); +/* Added at libpng version 1.5.10 */ +#if defined(PNG_READ_CHECK_FOR_INVALID_INDEX_SUPPORTED) || \ + defined(PNG_WRITE_CHECK_FOR_INVALID_INDEX_SUPPORTED) +PNG_EXTERN void png_do_check_palette_indexes PNGARG((png_structp png_ptr, + png_row_infop row_info)); +#endif + /* Free all memory used by the read (old method - NOT DLL EXPORTED) */ PNG_EXTERN void png_read_destroy PNGARG((png_structp png_ptr, png_infop info_ptr, png_infop end_info_ptr)); diff -ru4NwbB libpng-1.5.9/pngread.c libpng-1.5.10/pngread.c --- libpng-1.5.9/pngread.c 2012-02-18 14:31:14.395466893 -0600 +++ libpng-1.5.10/pngread.c 2012-03-29 00:06:54.575981702 -0500 @@ -1,9 +1,9 @@ /* pngread.c - read a PNG file * - * Last changed in libpng 1.5.7 [December 15, 2011] - * Copyright (c) 1998-2011 Glenn Randers-Pehrson + * Last changed in libpng 1.5.10 [March 8, 2012] + * Copyright (c) 1998-2012 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * * This code is released under the libpng license. @@ -66,18 +66,14 @@ #ifdef PNG_USER_LIMITS_SUPPORTED png_ptr->user_width_max = PNG_USER_WIDTH_MAX; png_ptr->user_height_max = PNG_USER_HEIGHT_MAX; -# ifdef PNG_USER_CHUNK_CACHE_MAX /* Added at libpng-1.2.43 and 1.4.0 */ png_ptr->user_chunk_cache_max = PNG_USER_CHUNK_CACHE_MAX; -# endif -# ifdef PNG_SET_USER_CHUNK_MALLOC_MAX /* Added at libpng-1.2.43 and 1.4.1 */ png_ptr->user_chunk_malloc_max = PNG_USER_CHUNK_MALLOC_MAX; # endif -#endif #ifdef PNG_SETJMP_SUPPORTED /* Applications that neglect to set up their own setjmp() and then * encounter a png_error() will longjmp here. Since the jmpbuf is @@ -804,8 +800,15 @@ return; png_crc_finish(png_ptr, 0); /* Finish off CRC from last IDAT chunk */ +#ifdef PNG_READ_CHECK_FOR_INVALID_INDEX_SUPPORTED + /* Report invalid palette index; added at libng-1.5.10 */ + if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE && + png_ptr->num_palette_max > png_ptr->num_palette) + png_benign_error(png_ptr, "Read palette index exceeding num_palette"); +#endif + do { png_uint_32 length = png_read_chunk_header(png_ptr); png_uint_32 chunk_name = png_ptr->chunk_name; @@ -1069,14 +1072,8 @@ #ifdef PNG_PROGRESSIVE_READ_SUPPORTED png_free(png_ptr, png_ptr->save_buffer); #endif -#ifdef PNG_PROGRESSIVE_READ_SUPPORTED -#ifdef PNG_TEXT_SUPPORTED - png_free(png_ptr, png_ptr->current_text); -#endif /* PNG_TEXT_SUPPORTED */ -#endif /* PNG_PROGRESSIVE_READ_SUPPORTED */ - /* Save the important info out of the png_struct, in case it is * being used again. */ #ifdef PNG_SETJMP_SUPPORTED diff -ru4NwbB libpng-1.5.9/pngrtran.c libpng-1.5.10/pngrtran.c --- libpng-1.5.9/pngrtran.c 2012-02-18 14:31:14.425826087 -0600 +++ libpng-1.5.10/pngrtran.c 2012-03-29 00:06:54.612484275 -0500 @@ -1,9 +1,9 @@ /* pngrtran.c - transforms the data in a row for PNG readers * - * Last changed in libpng 1.5.7 [December 15, 2011] - * Copyright (c) 1998-2011 Glenn Randers-Pehrson + * Last changed in libpng 1.5.10 [March 8, 2012] + * Copyright (c) 1998-2012 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * * This code is released under the libpng license. @@ -1829,14 +1829,17 @@ #endif /* PNG_READ_BACKGROUND_SUPPORTED */ #ifdef PNG_READ_SHIFT_SUPPORTED if ((png_ptr->transformations & PNG_SHIFT) && + !(png_ptr->transformations & PNG_EXPAND) && (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)) { int i; int istop = png_ptr->num_palette; int shift = 8 - png_ptr->sig_bit.red; + png_ptr->transformations &= ~PNG_SHIFT; + /* significant bits can be in the range 1 to 7 for a meaninful result, if * the number of significant bits is 0 then no shift is done (this is an * error condition which is silently ignored.) */ @@ -2295,8 +2298,14 @@ if (png_ptr->transformations & PNG_PACK) png_do_unpack(row_info, png_ptr->row_buf + 1); #endif +#ifdef PNG_READ_CHECK_FOR_INVALID_INDEX_SUPPORTED + /* Added at libpng-1.5.10 */ + if (row_info->color_type == PNG_COLOR_TYPE_PALETTE) + png_do_check_palette_indexes(png_ptr, row_info); +#endif + #ifdef PNG_READ_BGR_SUPPORTED if (png_ptr->transformations & PNG_BGR) png_do_bgr(row_info, png_ptr->row_buf + 1); #endif diff -ru4NwbB libpng-1.5.9/pngrutil.c libpng-1.5.10/pngrutil.c --- libpng-1.5.9/pngrutil.c 2012-02-18 14:31:14.441988426 -0600 +++ libpng-1.5.10/pngrutil.c 2012-03-29 00:06:54.628335185 -0500 @@ -1,8 +1,8 @@ /* pngrutil.c - utilities to read a PNG file * - * Last changed in libpng 1.5.9 [March 29, 2012] + * Last changed in libpng 1.5.10 [March 8, 2012] * Copyright (c) 1998-2012 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -433,17 +433,15 @@ * compressed data will be removed, the prefix will remain. */ if (prefix_size >= (~(png_size_t)0) - 1 || expanded_size >= (~(png_size_t)0) - 1 - prefix_size -#ifdef PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED +#ifdef PNG_USER_LIMITS_SUPPORTED || (png_ptr->user_chunk_malloc_max && (prefix_size + expanded_size >= png_ptr->user_chunk_malloc_max - 1)) #else -# ifdef PNG_USER_CHUNK_MALLOC_MAX || ((PNG_USER_CHUNK_MALLOC_MAX > 0) && prefix_size + expanded_size >= PNG_USER_CHUNK_MALLOC_MAX - 1) # endif -#endif ) png_warning(png_ptr, "Exceeded size limit while expanding chunk"); /* If the size is zero either there was an error and a message @@ -1258,15 +1256,18 @@ else if (png_ptr->mode & PNG_HAVE_PLTE) /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place iCCP chunk"); - if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) + if ((png_ptr->mode & PNG_HAVE_iCCP) || (info_ptr != NULL && + (info_ptr->valid & (PNG_INFO_iCCP|PNG_INFO_sRGB)))) { png_warning(png_ptr, "Duplicate iCCP chunk"); png_crc_finish(png_ptr, length); return; } + png_ptr->mode |= PNG_HAVE_iCCP; + #ifdef PNG_MAX_MALLOC_64K if (length > (png_uint_32)65535L) { png_warning(png_ptr, "iCCP chunk too large to fit in memory"); @@ -1794,18 +1795,18 @@ png_crc_finish(png_ptr, length); return; } - num = length / 2 ; - - if (num != (unsigned int)png_ptr->num_palette || num > - (unsigned int)PNG_MAX_PALETTE_LENGTH) + if (length > 2*PNG_MAX_PALETTE_LENGTH || + length != (unsigned int) (2*png_ptr->num_palette)) { png_warning(png_ptr, "Incorrect hIST chunk length"); png_crc_finish(png_ptr, length); return; } + num = length / 2 ; + for (i = 0; i < num; i++) { png_byte buf[2]; diff -ru4NwbB libpng-1.5.9/pngset.c libpng-1.5.10/pngset.c --- libpng-1.5.9/pngset.c 2012-02-18 14:31:14.450735768 -0600 +++ libpng-1.5.10/pngset.c 2012-03-29 00:06:54.637034941 -0500 @@ -1,9 +1,9 @@ /* pngset.c - storage of image information into info struct * - * Last changed in libpng 1.5.7 [December 15, 2011] - * Copyright (c) 1998-2011 Glenn Randers-Pehrson + * Last changed in libpng 1.5.10 [(PENDING RELEASE)] + * Copyright (c) 1998-2012 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * * This code is released under the libpng license. @@ -691,16 +691,18 @@ * to hold all of the incoming text_ptr objects. */ if (info_ptr->num_text + num_text > info_ptr->max_text) { + int old_max_text = info_ptr->max_text; + int old_num_text = info_ptr->num_text; + if (info_ptr->text != NULL) { png_textp old_text; - int old_max; - old_max = info_ptr->max_text; info_ptr->max_text = info_ptr->num_text + num_text + 8; old_text = info_ptr->text; + info_ptr->text = (png_textp)png_malloc_warn(png_ptr, (png_size_t)(info_ptr->max_text * png_sizeof(png_text))); if (info_ptr->text == NULL) @@ -704,13 +706,15 @@ (png_size_t)(info_ptr->max_text * png_sizeof(png_text))); if (info_ptr->text == NULL) { - png_free(png_ptr, old_text); + /* Restore to previous condition */ + info_ptr->max_text = old_max_text; + info_ptr->text = old_text; return(1); } - png_memcpy(info_ptr->text, old_text, (png_size_t)(old_max * + png_memcpy(info_ptr->text, old_text, (png_size_t)(old_max_text * png_sizeof(png_text))); png_free(png_ptr, old_text); } @@ -720,9 +724,14 @@ info_ptr->num_text = 0; info_ptr->text = (png_textp)png_malloc_warn(png_ptr, (png_size_t)(info_ptr->max_text * png_sizeof(png_text))); if (info_ptr->text == NULL) + { + /* Restore to previous condition */ + info_ptr->num_text = old_num_text; + info_ptr->max_text = old_max_text; return(1); + } info_ptr->free_me |= PNG_FREE_TEXT; } png_debug1(3, "allocated %d entries for info_ptr->text", @@ -1280,5 +1289,21 @@ else png_ptr->flags &= ~PNG_FLAG_BENIGN_ERRORS_WARN; } #endif /* PNG_BENIGN_ERRORS_SUPPORTED */ + +#ifdef PNG_READ_CHECK_FOR_INVALID_INDEX_SUPPORTED + /* Do not report invalid palette index; added at libng-1.5.10 */ +void PNGAPI +png_set_check_for_invalid_index(png_structp png_ptr, int allowed) +{ + png_debug(1, "in png_set_check_for_invalid_index"); + + if (allowed) + png_ptr->num_palette_max = 0; + + else + png_ptr->num_palette_max = -1; +} +#endif + #endif /* PNG_READ_SUPPORTED || PNG_WRITE_SUPPORTED */ diff -ru4NwbB libpng-1.5.9/pngstruct.h libpng-1.5.10/pngstruct.h --- libpng-1.5.9/pngstruct.h 2012-02-18 14:31:14.322395982 -0600 +++ libpng-1.5.10/pngstruct.h 2012-03-29 00:06:54.503385638 -0500 @@ -120,8 +120,14 @@ png_uint_32 idat_size; /* current IDAT size for read */ png_uint_32 crc; /* current chunk CRC value */ png_colorp palette; /* palette from the input file */ png_uint_16 num_palette; /* number of color entries in palette */ + +/* Added at libpng-1.5.10 */ +#ifdef PNG_CHECK_FOR_INVALID_INDEX_SUPPORTED + int num_palette_max; /* maximum palette index found in IDAT */ +#endif + png_uint_16 num_trans; /* number of transparency values */ png_byte compression; /* file compression type (always 0) */ png_byte filter; /* file filter type (always 0) */ png_byte interlaced; /* PNG_INTERLACE_NONE, PNG_INTERLACE_ADAM7 */ @@ -210,15 +216,8 @@ png_size_t current_buffer_size; /* amount of data now in current_buffer */ int process_mode; /* what push library is currently doing */ int cur_palette; /* current push library palette index */ -# ifdef PNG_TEXT_SUPPORTED - png_size_t current_text_size; /* current size of text input data */ - png_size_t current_text_left; /* how much text left to read in input */ - png_charp current_text; /* current text chunk buffer */ - png_charp current_text_ptr; /* current location in current_text */ -# endif /* PNG_PROGRESSIVE_READ_SUPPORTED && PNG_TEXT_SUPPORTED */ - #endif /* PNG_PROGRESSIVE_READ_SUPPORTED */ #if defined(__TURBOC__) && !defined(_Windows) && !defined(__FLAT__) /* For the Borland special 64K segment handler */ diff -ru4NwbB libpng-1.5.9/pngtrans.c libpng-1.5.10/pngtrans.c --- libpng-1.5.9/pngtrans.c 2012-02-18 14:31:14.467958032 -0600 +++ libpng-1.5.10/pngtrans.c 2012-03-29 00:06:54.654457660 -0500 @@ -1,9 +1,9 @@ /* pngtrans.c - transforms the data in a row (used by both readers and writers) * - * Last changed in libpng 1.5.4 [July 7, 2011] - * Copyright (c) 1998-2011 Glenn Randers-Pehrson + * Last changed in libpng 1.5.10 [March 8, 2012] + * Copyright (c) 1998-2012 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * * This code is released under the libpng license. @@ -618,8 +618,111 @@ } } #endif /* PNG_READ_BGR_SUPPORTED or PNG_WRITE_BGR_SUPPORTED */ +#if defined(PNG_READ_CHECK_FOR_INVALID_INDEX_SUPPORTED) || \ + defined(PNG_WRITE_CHECK_FOR_INVALID_INDEX_SUPPORTED) +/* Added at libpng-1.5.10 */ +void /* PRIVATE */ +png_do_check_palette_indexes(png_structp png_ptr, png_row_infop row_info) +{ + if (png_ptr->num_palette < (1 << row_info->bit_depth) && + png_ptr->num_palette_max >= 0) + { + /* Calculations moved outside switch in an attempt to stop different + * compiler warnings. 'padding' is in *bits* within the last byte, it is + * an 'int' because pixel_depth becomes an 'int' in the expression below, + * and this calculation is used because it avoids warnings that other + * forms produced on either GCC or MSVC. + */ + int padding = (-row_info->pixel_depth * row_info->width) & 7; + png_bytep rp = png_ptr->row_buf + row_info->rowbytes; + + switch (row_info->bit_depth) + { + case 1: + { + /* in this case, all bytes must be 0 so we don't need + * to unpack the pixels except for the rightmost one. + */ + for (; rp > png_ptr->row_buf; rp--) + { + if (*rp >> padding != 0) + png_ptr->num_palette_max = 1; + padding = 0; + } + + break; + } + + case 2: + { + for (; rp > png_ptr->row_buf; rp--) + { + int i = ((*rp >> padding) & 0x03); + + if (i > png_ptr->num_palette_max) + png_ptr->num_palette_max = i; + + i = (((*rp >> padding) >> 2) & 0x03); + + if (i > png_ptr->num_palette_max) + png_ptr->num_palette_max = i; + + i = (((*rp >> padding) >> 4) & 0x03); + + if (i > png_ptr->num_palette_max) + png_ptr->num_palette_max = i; + + i = (((*rp >> padding) >> 6) & 0x03); + + if (i > png_ptr->num_palette_max) + png_ptr->num_palette_max = i; + + padding = 0; + } + + break; + } + + case 4: + { + for (; rp > png_ptr->row_buf; rp--) + { + int i = ((*rp >> padding) & 0x0f); + + if (i > png_ptr->num_palette_max) + png_ptr->num_palette_max = i; + + i = (((*rp >> padding) >> 4) & 0x0f); + + if (i > png_ptr->num_palette_max) + png_ptr->num_palette_max = i; + + padding = 0; + } + + break; + } + + case 8: + { + for (; rp > png_ptr->row_buf; rp--) + { + if (*rp >= png_ptr->num_palette_max) + png_ptr->num_palette_max = (int) *rp; + } + + break; + } + + default: + break; + } + } +} +#endif /* PNG_CHECK_FOR_INVALID_INDEX_SUPPORTED */ + #if defined(PNG_READ_USER_TRANSFORM_SUPPORTED) || \ defined(PNG_WRITE_USER_TRANSFORM_SUPPORTED) #ifdef PNG_USER_TRANSFORM_PTR_SUPPORTED void PNGAPI diff -ru4NwbB libpng-1.5.9/pngwrite.c libpng-1.5.10/pngwrite.c --- libpng-1.5.9/pngwrite.c 2012-02-18 14:31:14.482732696 -0600 +++ libpng-1.5.10/pngwrite.c 2012-03-29 00:06:54.669727590 -0500 @@ -1,9 +1,9 @@ /* pngwrite.c - general routines to write a PNG file * - * Last changed in libpng 1.5.7 [December 15, 2011] - * Copyright (c) 1998-2011 Glenn Randers-Pehrson + * Last changed in libpng 1.5.10 [March 8, 2012] + * Copyright (c) 1998-2012 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * * This code is released under the libpng license. @@ -304,8 +304,13 @@ if (!(png_ptr->mode & PNG_HAVE_IDAT)) png_error(png_ptr, "No IDATs written into file"); +#ifdef PNG_WRITE_CHECK_FOR_INVALID_INDEX_SUPPORTED + if (png_ptr->num_palette_max > png_ptr->num_palette) + png_benign_error(png_ptr, "Wrote palette index exceeding num_palette"); +#endif + /* See if user wants us to write information chunks */ if (info_ptr != NULL) { #ifdef PNG_WRITE_TEXT_SUPPORTED @@ -797,8 +802,15 @@ png_do_write_intrapixel(&row_info, png_ptr->row_buf + 1); } #endif +/* Added at libpng-1.5.10 */ +#ifdef PNG_WRITE_CHECK_FOR_INVALID_INDEX_SUPPORTED + /* Check for out-of-range palette index */ + if(row_info.color_type == PNG_COLOR_TYPE_PALETTE) + png_do_check_palette_indexes(png_ptr, &row_info); +#endif + /* Find a filter if necessary, filter the row and write it out. */ png_write_find_filter(png_ptr, &row_info); if (png_ptr->write_row_fn != NULL) diff -ru4NwbB libpng-1.5.9/pngwutil.c libpng-1.5.10/pngwutil.c --- libpng-1.5.9/pngwutil.c 2012-02-18 14:31:14.502618600 -0600 +++ libpng-1.5.10/pngwutil.c 2012-03-29 00:06:54.689775945 -0500 @@ -1,9 +1,9 @@ /* pngwutil.c - utilities to write a PNG file * - * Last changed in libpng 1.5.6 [November 3, 2011] - * Copyright (c) 1998-2011 Glenn Randers-Pehrson + * Last changed in libpng 1.5.10 [March 8, 2012] + * Copyright (c) 1998-2012 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * * This code is released under the libpng license. @@ -568,25 +568,26 @@ } /* Ship the compressed text out via chunk writes */ static void /* PRIVATE */ -png_write_compressed_data_out(png_structp png_ptr, compression_state *comp) +png_write_compressed_data_out(png_structp png_ptr, compression_state *comp, + png_size_t data_len) { int i; /* Handle the no-compression case */ if (comp->input) { - png_write_chunk_data(png_ptr, comp->input, comp->input_len); + png_write_chunk_data(png_ptr, comp->input, data_len); return; } #ifdef PNG_WRITE_OPTIMIZE_CMF_SUPPORTED /* The zbuf_size test is because the code below doesn't work if zbuf_size is * '1'; simply skip it to avoid memory overwrite. */ - if (comp->input_len >= 2 && comp->input_len < 16384 && png_ptr->zbuf_size > 1) + if (data_len >= 2 && comp->input_len < 16384 && png_ptr->zbuf_size > 1) { unsigned int z_cmf; /* zlib compression method and flags */ /* Optimize the CMF field in the zlib stream. This hack of the zlib @@ -1163,10 +1164,9 @@ (png_size_t)(name_len + 2)); if (profile_len) { - comp.input_len = profile_len; - png_write_compressed_data_out(png_ptr, &comp); + png_write_compressed_data_out(png_ptr, &comp, profile_len); } png_write_chunk_end(png_ptr); png_free(png_ptr, new_name); @@ -1734,10 +1734,9 @@ /* Write compression */ png_write_chunk_data(png_ptr, &buf, (png_size_t)1); /* Write the compressed data */ - comp.input_len = text_len; - png_write_compressed_data_out(png_ptr, &comp); + png_write_compressed_data_out(png_ptr, &comp, text_len); /* Close the chunk */ png_write_chunk_end(png_ptr); } @@ -1826,9 +1825,9 @@ png_write_chunk_data(png_ptr, (lang_key ? (png_const_bytep)lang_key : cbuf), (png_size_t)(lang_key_len + 1)); - png_write_compressed_data_out(png_ptr, &comp); + png_write_compressed_data_out(png_ptr, &comp, text_len); png_write_chunk_end(png_ptr); png_free(png_ptr, new_key); diff -ru4NwbB libpng-1.5.9/scripts/options.awk libpng-1.5.10/scripts/options.awk --- libpng-1.5.9/scripts/options.awk 2011-12-21 08:50:53.995640000 -0600 +++ libpng-1.5.10/scripts/options.awk 2012-02-24 19:17:05.386605000 -0600 @@ -41,9 +41,9 @@ cx= "/" ct "*" # Open C comment for output file comment=start cx # Comment start cend="*/" end # Comment end def=start "#define PNG_" ct # Arbitrary define - sup=ct "_SUPPORTED" end # end supported option + sup=ct "_SUPPORTED 1" end # end supported option und=comment "#undef PNG_" ct # Unsupported option une=ct "_SUPPORTED" cend # end unsupported option error=start "ERROR:" # error message diff -ru4NwbB libpng-1.5.9/scripts/pnglibconf.dfa libpng-1.5.10/scripts/pnglibconf.dfa --- libpng-1.5.9/scripts/pnglibconf.dfa 2011-12-05 14:22:38.225250000 -0600 +++ libpng-1.5.10/scripts/pnglibconf.dfa 2012-03-04 21:49:35.600907000 -0600 @@ -26,9 +26,9 @@ # # The syntax is detailed in scripts/options.awk, this is a summary # only: # -# setting [requires ...] [default] +# setting [default] # #define PNG_ /* value comes from current setting */ # option [requires ...] [if ...] [enables ...] [disabled] # #define PNG__SUPPORTED if the requirements are met and # enable the other options listed @@ -265,22 +265,24 @@ # Feature added at libpng-1.4.1, this flag added at 1.4.1 option SET_USER_LIMITS enables SET_CHUNK_MALLOC_LIMIT -# Added at libpng-1.0.16 and 1.2.6. To accept all valid PNGs no matter -# how large, set these two limits to 0x7fffffff - -setting USER_WIDTH_MAX default 1000000 -setting USER_HEIGHT_MAX default 1000000 - -# Added at libpng-1.2.43. To accept all valid PNGs no matter -# how large, set these two limits to 0. - -setting USER_CHUNK_CACHE_MAX default 0 - -# Added at libpng-1.2.43 - -setting USER_CHUNK_MALLOC_MAX default 0 +# Libpng limits. +# +# If these settings are *not* set libpng will not limit the size of +# images or the size of data in ancilliary chunks. This does lead to +# security issues if PNG files come from untrusted sources. +setting USER_WIDTH_MAX +setting USER_HEIGHT_MAX +setting USER_CHUNK_CACHE_MAX +setting USER_CHUNK_MALLOC_MAX + +# To default all these settings to values that are large but probably +# safe turn the SAFE_LIMITS option on; this will cause the value in +# pngpriv.h to be used. Individual values can also be set, simply set +# them in pngusr.dfa with '@#define PNG_setting value' lines. +option SAFE_LIMITS enables USER_LIMITS disabled += SAFE_LIMITS SAFE_LIMITS # All of the following options relate to code capabilities for # processing image data before creating a PNG or after reading one. # You can remove these capabilities safely and still be PNG @@ -575,4 +577,14 @@ # Turn this off to disable png_read_png() and png_write_png() and # leave the row_pointers member out of the info structure. option INFO_IMAGE + +# added at libpng-1.5.10 +# Turn this off to disable warning about invalid palette index and +# leave the num_palette_max member out of the png structure. + +option CHECK_FOR_INVALID_INDEX enables READ_CHECK_FOR_INVALID_INDEX +option CHECK_FOR_INVALID_INDEX enables WRITE_CHECK_FOR_INVALID_INDEX +option READ_CHECK_FOR_INVALID_INDEX requires READ CHECK_FOR_INVALID_INDEX +option WRITE_CHECK_FOR_INVALID_INDEX requires WRITE CHECK_FOR_INVALID_INDEX + diff -ru4NwbB libpng-1.5.9/scripts/pnglibconf.h.prebuilt libpng-1.5.10/scripts/pnglibconf.h.prebuilt --- libpng-1.5.9/scripts/pnglibconf.h.prebuilt 2012-02-18 14:31:16.748561553 -0600 +++ libpng-1.5.10/scripts/pnglibconf.h.prebuilt 2012-03-29 00:06:56.807777736 -0500 @@ -4,9 +4,9 @@ /* pnglibconf.h - library build configuration */ /* Libpng 1.5.10 - March 29, 2012 */ -/* Copyright (c) 1998-2011 Glenn Randers-Pehrson */ +/* Copyright (c) 1998-2012 Glenn Randers-Pehrson */ /* This code is released under the libpng license. */ /* For conditions of distribution and use, see the disclaimer */ /* and license in png.h */ @@ -30,12 +30,8 @@ #define PNG_QUANTIZE_BLUE_BITS 5 #define PNG_QUANTIZE_GREEN_BITS 5 #define PNG_QUANTIZE_RED_BITS 5 #define PNG_sCAL_PRECISION 5 -#define PNG_USER_CHUNK_CACHE_MAX 0 -#define PNG_USER_CHUNK_MALLOC_MAX 0 -#define PNG_USER_HEIGHT_MAX 1000000 -#define PNG_USER_WIDTH_MAX 1000000 #define PNG_WEIGHT_SHIFT 8 #define PNG_ZBUF_SIZE 8192 /* end of settings */ /* options */ @@ -44,8 +40,9 @@ #define PNG_BENIGN_ERRORS_SUPPORTED #define PNG_bKGD_SUPPORTED #define PNG_BUILD_GRAYSCALE_PALETTE_SUPPORTED #define PNG_CHECK_cHRM_SUPPORTED +#define PNG_CHECK_FOR_INVALID_INDEX_SUPPORTED #define PNG_cHRM_SUPPORTED #define PNG_CONSOLE_IO_SUPPORTED #define PNG_CONVERT_tIME_SUPPORTED #define PNG_EASY_ACCESS_SUPPORTED @@ -73,8 +70,9 @@ #define PNG_READ_ANCILLARY_CHUNKS_SUPPORTED #define PNG_READ_BACKGROUND_SUPPORTED #define PNG_READ_BGR_SUPPORTED #define PNG_READ_bKGD_SUPPORTED +#define PNG_READ_CHECK_FOR_INVALID_INDEX_SUPPORTED #define PNG_READ_cHRM_SUPPORTED #define PNG_READ_COMPOSITE_NODIV_SUPPORTED #define PNG_READ_COMPRESSED_TEXT_SUPPORTED #define PNG_READ_EXPAND_16_SUPPORTED @@ -144,8 +142,9 @@ #define PNG_WRITE_16BIT_SUPPORTED #define PNG_WRITE_ANCILLARY_CHUNKS_SUPPORTED #define PNG_WRITE_BGR_SUPPORTED #define PNG_WRITE_bKGD_SUPPORTED +#define PNG_WRITE_CHECK_FOR_INVALID_INDEX_SUPPORTED #define PNG_WRITE_cHRM_SUPPORTED #define PNG_WRITE_COMPRESSED_TEXT_SUPPORTED #define PNG_WRITE_CUSTOMIZE_ZTXT_COMPRESSION_SUPPORTED #define PNG_WRITE_FILLER_SUPPORTED diff -ru4NwbB libpng-1.5.9/scripts/symbols.def libpng-1.5.10/scripts/symbols.def --- libpng-1.5.9/scripts/symbols.def 2012-02-18 14:31:16.760084488 -0600 +++ libpng-1.5.10/scripts/symbols.def 2012-03-29 00:06:56.818823277 -0500 @@ -238,4 +238,5 @@ png_get_cHRM_XYZ @230 png_get_cHRM_XYZ_fixed @231 png_set_cHRM_XYZ @232 png_set_cHRM_XYZ_fixed @233 + png_set_check_for_invalid_index @234