As per the const correctness rules, top-level const-ness of data
in automatic scopes does not propagate outside of these scopes
(unlike const-ness at lower levels, such as pointers to const data).
Previously, const was used liberally, but inconsistently across the
libpng codebase. Using const wherever applicable is not incorrect.
However, _consistent_ use of const is difficult to maintain in such
conditions.
In conclusion, we shall continue to use const only where doing so is
strictly necessary:
1. If a function guarantees that it will not modify an argument
passed by pointer, the corresponding function parameter should be
a pointer-to-const (const T *).
2. Static data should not be modified, therefore it should be const.
Reference:
Google C++ Style Guide
https://google.github.io/styleguide/cppguide.html#Use_of_const
In v1.6.0, size_t became a required type. It should be used
consistently. To maintain backwards compatibility, png_size_t
is still maintained in deprecated form.
Configure libpng with "configure --enable-intel-sse" or compile
libpng with "-DPNG_INTEL_SSE" in CPPFLAGS to enable it. This patch was
previously applied to libpng-1.6.28rc03 but withdrawn to allow time for QA.
Remove all currently detected cases of unsigned overflow. Detection is
runtime, so test case dependent. The changes to pngvalid.c eliminate
spurious and probably invalid tests with one while loop exception.
Apart from that and the change to the dependence on the intended
unsigned overflow in pngtrans.c the changes are limited to altering the
meme for an unsigned 'x' from:
while (x-- > 0)
to
for (; x > 0; --x)
This works because, in all cases, the control variable is not used in
the loop. The 'while' meme was, at one time, warn'ed by GCC so it is
probably a good change, for some weird religious value of good.
Signed-off-by: John Bowler <jbowler@acm.org>
The code now validates the ICC profile length against the user chunk limit
before the buffer is allocated, as opposed to doing it while the buffer is read.
This removes the potential to consume virtual address space with a carefully
crafted ICC profile; only an issue on 32-bit systems where a valid profile can
be up to 2^32-4 bytes in length. libpng never writes beyond the application
supplied limit, but previously it did allocate a buffer of the size specified in
the profile header. The exploitability of this is almost zero; the address
space is released as soon as the PNG read completes.
Also clean up PNG_DEBUG compile of pngtest.c.
Signed-off-by: John Bowler <jbowler@acm.org>
