AuroraMiddleware/libpng
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[libpng16= Avoid potential overflow of shift operations in png_do_expand() (Aaron Boxer).

Browse Source
This commit is contained in:
Glenn Randers-Pehrson 2017-02-27 20:17:56 -06:00
parent b475d0593c
commit 4f31b7f242
3 changed files with 11 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ANNOUNCE
View File

@ -1,4 +1,4 @@
Libpng 1.6.29beta03 - February 22, 2017
Libpng 1.6.29beta03 - February 28, 2017
This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version.
@ -39,7 +39,8 @@ Version 1.6.29beta02 [February 22, 2017]
branches; the comments were correct.
Added code for PowerPC VSX optimisation (Vadim Barkov).
Version 1.6.29beta03 [February 22, 2017]
Version 1.6.29beta03 [February 28, 2017]
Avoid potential overflow of shift operations in png_do_expand() (Aaron Boxer).
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit

3
CHANGES
View File

@ -5808,7 +5808,8 @@ Version 1.6.29beta02 [February 22, 2017]
branches; the comments were correct.
Added code for PowerPC VSX optimisation (Vadim Barkov).
Version 1.6.29beta03 [February 22, 2017]
Version 1.6.29beta03 [February 28, 2017]
Avoid potential overflow of shift operations in png_do_expand() (Aaron Boxer).
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit

12
pngrtran.c
View File

@ -1,8 +1,8 @@
/* pngrtran.c - transforms the data in a row for PNG readers
*
* Last changed in libpng 1.6.24 [August 4, 2016]
* Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson
* Last changed in libpng 1.6.29 [(PENDING RELEASE)]
* Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
*
@ -4302,7 +4302,7 @@ png_do_expand_palette(png_row_infop row_info, png_bytep row,
if (num_trans > 0)
{
sp = row + (png_size_t)row_width - 1;
dp = row + (png_size_t)(row_width << 2) - 1;
dp = row + ((png_size_t)row_width << 2) - 1;
for (i = 0; i < row_width; i++)
{
@ -4463,7 +4463,7 @@ png_do_expand(png_row_infop row_info, png_bytep row,
{
gray = gray & 0xff;
sp = row + (png_size_t)row_width - 1;
dp = row + (png_size_t)(row_width << 1) - 1;
dp = row + ((png_size_t)row_width << 1) - 1;
for (i = 0; i < row_width; i++)
{
@ -4519,7 +4519,7 @@ png_do_expand(png_row_infop row_info, png_bytep row,
png_byte green = (png_byte)(trans_color->green & 0xff);
png_byte blue = (png_byte)(trans_color->blue & 0xff);
sp = row + (png_size_t)row_info->rowbytes - 1;
dp = row + (png_size_t)(row_width << 2) - 1;
dp = row + ((png_size_t)row_width << 2) - 1;
for (i = 0; i < row_width; i++)
{
if (*(sp - 2) == red && *(sp - 1) == green && *(sp) == blue)
@ -4542,7 +4542,7 @@ png_do_expand(png_row_infop row_info, png_bytep row,
png_byte green_low = (png_byte)(trans_color->green & 0xff);
png_byte blue_low = (png_byte)(trans_color->blue & 0xff);
sp = row + row_info->rowbytes - 1;
dp = row + (png_size_t)(row_width << 3) - 1;
dp = row + ((png_size_t)row_width << 3) - 1;
for (i = 0; i < row_width; i++)
{
if (*(sp - 5) == red_high &&