Remove all currently detected cases of unsigned overflow. Detection is
runtime, so test case dependent. The changes to pngvalid.c eliminate
spurious and probably invalid tests with one while loop exception.
Apart from that and the change to the dependence on the intended
unsigned overflow in pngtrans.c the changes are limited to altering the
meme for an unsigned 'x' from:
while (x-- > 0)
to
for (; x > 0; --x)
This works because, in all cases, the control variable is not used in
the loop. The 'while' meme was, at one time, warn'ed by GCC so it is
probably a good change, for some weird religious value of good.
Signed-off-by: John Bowler <jbowler@acm.org>
This implements an API and provides a number of assist macros to allow an
application which uses the simplified API write to bypass stdio and write
directly to memory.
It also includes some warnings (png.h) and some check code to detect *possible*
overflow in the ROW_STRIDE and simplified image SIZE macros. This disallows
image width/height/format that *might* overflow. A quiet API change that limits
in-memory image size (uncompressed) to less that 4GByte and image row size
(stride) to less than 2GByte.
Signed-off-by: John Bowler <jbowler@acm.org>
input that was made in version 1.6.17beta01, to preserve legacy
behavior even though it was incorrect. Instead, added new API
png_set_filter_16() and png_set_add_alpha_16() that set a flag to
make png_do_read_filter() interpret the filler bytes properly.
0x8000 flag definitions on 16-bit systems. They aren't supported
yet the defs *probably* work, however it seems much safer to do this
and be advised if anyone, contrary to advice, is building libpng 1.6
on a 16-bit system. It also adds back various switch default clauses
for GCC; GCC errors out if they are not present (with an appropriately
high level of warnings).
value was wrong. It's not clear if this affected the final stored
value; in the obvious code path the upper and lower 8-bits of the
alpha value were identical and the alpha was truncated to 8-bits
rather than dividing by 257 (John Bowler).
in the code the number of elements in an array is calculated using
sizeof. This generates a compile time constant of type (size_t) which
is then typically assigned to an (unsigned int) or (int). Some versions
of GCC on 64-bit systems warn about the apparent narrowing, even though
the same compiler does apparently generate the correct, in-range,
numeric constant. This adds appropriate, safe, casts to make the
warnings go away.
