images (and bump package to 1.2.5nb2). The following is taken directly
from the png-implement mailing list...
Date: Fri, 20 Dec 2002 11:26:31 -0500
From: Glenn Randers-Pehrson <glennrp@comcast.net>
Reply-To: png-implement@ccrc.wustl.edu
To: png-implement@ccrc.wustl.edu
Subject: Re: [png-implement] bug in png_read_filler() with 16-bit samples
At 01:01 AM 12/5/02 -0500, Glenn Randers-Pehrson wrote:
>A bug has turned up in png_read_filler() with 16-bit samples.
>The starting offsets for the loops are calculated incorrectly
>which causes a buffer overrun beyond the beginning of the row
>buffer.
>
>To fix, at lines 1968 and 1990,
>change "row_width * 3" to "row_width * 6"
>and at lines 1969 and 1991,
>change "row_width;" to "row_width * 2;"
This is only half of the story. Adding an alpha channel to
16-bit *grayscale* images with png_do_read_filler() exhibits
the same bug, and pngcrush crashes if I try to do it.
To fix, at lines 1892, 1893, 1910, and 1911 of pngrtran.c
change "row_width" to "row_width * 2"
Note that applications that do not add an alpha channel via
png_set_filler(), and any applications that do, but reduce 16-bit
samples to 8 bit via png_set_strip_16() are invulnerable to
the bug. Pngcrush is the only application that I know of
that uses png_set_filler() without also using png_set_strip_16().
Glenn
--
Send the message body "help" to png-implement-request@ccrc.wustl.edu
reported to the png-implement mailing list by Glenn Randers-Pehrson:
ftp://swrinde.nde.swri.edu/pub/png-group/archives/png-implement.200212
[Glenn Randers-Pehrson is the original author and chief maintainer of
libpng.]
From the discussion in the archive, it appears to be unlikely that the
bug could be exploited by a malicious web-server, chiefly because the
operation that triggers it is more likely to be carried out by an image
manipulation program (i.e. pngcrush), than by a web browser.
* Changed png_error() to png_warning() about
"Too much data" in pngpread.c and about
"Extra compressed data" in pngrutil.c.
* Prevent png_ptr->pass from exceeding 7 in
png_push_finish_row().
* Updated png.c and pnggccrd.c handling of return from
png_mmx_support() [Doesn't apply to the package.]
* Only issue png_warning() about "Too much data" in
pngpread.c when avail_in is nonzero.
* Relocated two misplaced PNGAPI lines in pngtest.c
Update submitted by Stefan Krüger in PR/18926.
buildlink2.mk files back into the main trunk. This provides sufficient
buildlink2 infrastructure to start merging other packages from the
buildlink2 branch that have already been converted to use the buildlink2
framework.
and png_set_text_2(), call for a minor version bump in the shared library.
Update "BUILDLINK_DEPENDS" to current level. Also make the shared library
versions visible in the top-level "Makefile", and add a top-level "test"
target to invoke "pngtest" in ${WRKSRC}.
The following is culled from the extensive "CHANGES" file, ommitting
all make system and doc changes, and some bug fixes for bugs that weren't
present in 1.2.1. See "CHANGES" for complete details:
Added setjmp() at the end of png_create_*_struct_2() in case user forgets
to put one in their application.
Exported png_zalloc(), png_zfree(), png_default_read(), png_default_write(),
png_default_flush(), and png_push_fill_buffer() and included them in
module definition files.
Revised prototype for png_default_flush()
Typos in *.def files (png_default_read|write -> png_default_read|write_data)
Once more restored png_zalloc and png_zfree to regular nonexported form.
Restored png_default_read|write_data, png_default_flush, png_read_fill_buffer
to nonexported form, but with PNGAPI, and removed them from module def files.
Removed "PNGAPI" from png_zalloc() and png_zfree() in png.c
Plugged various memory leaks; added png_malloc_warn() and png_set_text_2()
functions.
Plugged memory leak of png_ptr->current_text (Matt Holgate).
Check for buffer overflow before reading CRC in pngpread.c (Warwick Allison)
Plugged memory leak of row_buf in pngtest.c when there is a png_error().
Detect buffer overflow in pngpread.c when IDAT is corrupted with extra data.
Changed png_warning() to png_error() when width is too large to process.
shared library version, and in the dependendency information for hundreds of
other packages. [Update to png itself was supplied by Thomas Wizner.]
Relevant changes since 1.0.12, extracted from the "CHANGES" file:
Re-enabled PNG_MNG_FEATURES_SUPPORTED and enabled PNG_ASSEMBLER_CODE_SUPPORTED
by default.
Added runtime selection of MMX features.
Added png_set_strip_error_numbers function and related macros.
Added a check for attempts to read or write PLTE in grayscale PNG datastreams.
Enabled user memory function by default.
Modified png_create_struct so it passes user mem_ptr to user memory allocator.
Increased png_mng_features flag from png_byte to png_uint_32.
Check for missing profile length field in iCCP chunk and free chunk_data
in case of truncated iCCP chunk.
Revised contrib/gregbook/rpng*-x.c to avoid a memory leak and to exit cleanly
if user attempts to run it on an 8-bit display.
Updated contrib/gregbook
Use png_malloc instead of png_zalloc to allocate palette in pngset.c
Added some typecasts to eliminate gcc 3.0 warnings. Changed prototypes
of png_write_oFFS width and height from png_uint_32 to png_int_32.
Updated example.c
Revised prototypes for png_debug_malloc and png_debug_free in pngtest.c
Revised contrib/gregbook
Revised pnggccrd.c to conditionally compile some thread-unsafe code only
when PNG_THREAD_UNSAFE_OK is defined.
Added tests to prevent pngwutil.c from writing a bKGD or tRNS chunk with
value exceeding 2^bit_depth-1
Replaced calls to fprintf(stderr,...) with png_warning() in pnggccrd.c
Removed restriction that do_invert_mono only operate on 1-bit opaque files
Changed a png_warning() to png_debug() in pnggccrd.c
Fixed contrib/gregbook/rpng-x.c, rpng2-x.c to avoid crash with XFreeGC().
Include background_1 in png_struct regardless of gamma support.
Revised example.c to provide more details about using row_callback().
Added type cast to each NULL appearing in a function call, except for
WINCE functions.
Removed type casts from all NULLs.
Simplified png_create_struct_2().
Revised png_create_info_struct() and png_creat_struct_2().
Added error message if png_write_info() was omitted.
Type cast NULLs appearing in function calls when _NO_PROTO or
PNG_TYPECAST_NULL is defined.
Type cast NULLs appearing in function calls except when PNG_NO_TYPECAST_NULL
is defined.
Changed typecast of "size" argument to png_size_t in pngmem.c calls to
the user malloc_fn, to agree with the prototype in png.h
Added a pop/push operation to pnggccrd.c, to preserve Eflag (Maxim Sobolev)
Added a pop/push operation to pngvcrd.c, to preserve Eflag.
Always allocate 256-entry internal palette, hist, and trans arrays, to
avoid out-of-bounds memory reference caused by invalid PNG datastreams.
Added a check for prefix_length > data_length in iCCP chunk handler.
. Added some never-to-be-executed code in pnggccrd.c to quiet compiler
warnings.
. Added a check for attempts to read or write PLTE in grayscale PNG
datastreams.
. Eliminated the png_error about apps using png_read|write_init(). Instead,
libpng will reallocate the png_struct and info_struct if they are too small.
This achieves future binary compatibility for old applications written for
libpng-0.88 and earlier. Expanded the warnings about incompatible library
and application.
. Modified png_create_struct so it passes user mem_ptr to user memory
allocator.
. Check for missing profile length field in iCCP chunk and free the chunk_data
in case of truncated iCCP chunk.
pkgsrc change: bump shared library major like it happened in libpng some
time ago -- our libtool'ified build didn't reflect this. Fixes pkg/12856
by Thor Simon. Note necessity of manual major/minor handling in Makefile,
to decrease chance that this will repeat in the future.
Changes since 1.0.10:
Added type casts on several png_malloc() calls (Dimitri Papadapoulos).
Removed a no-longer needed AIX work-around from pngconf.h
Changed several "//" single-line comments to C-style in pnggccrd.c
Removed PNGAPI from several functions whose prototypes did not have PNGAPI.
Updated scripts/pngos2.def
Added a check for NULL return from user's malloc_fn().
Removed some useless type casts of the NULL pointer.
Added makefile.netbsd [not used, since we're using libtool instead]
Changes are:
Changed sprintf() to strcpy() in png_write_sCAL_s() to work without STDIO
Added data_length parameter to png_decompress_chunk() function
Revised documentation to remove reference to abandoned png_free_chnk functions
Fixed an error in png_rgb_to_gray_fixed()
Revised example.c, usage of png_destroy_write_struct().
Renamed makefile.ibmvac3 to makefile.ibmc, added libpng.icc IBM project file
Added a check for info_ptr->free_me&PNG_FREE_TEXT when free'ing text in png.c
Simplify png_sig_bytes() function to remove use of non-ISO-C strdup().
Added png_data_freer() function.
In the code that checks for over-length tRNS chunks, added check of
info_ptr->num_trans as well as png_ptr->num_trans (Matthias Benckmann)
Check for existing data and free it if the free_me flag is set, in png_set_*()
and png_handle_*().
Only define PNG_WEIGHTED_FILTERS_SUPPORTED when PNG_FLOATING_POINT_SUPPORTED
is defined.
Changed several instances of PNG_NO_CONSOLE_ID to PNG_NO_STDIO in pngrutil.c
and mentioned the purposes of the two macros in libpng.txt/libpng.3.
Revised png_set_iCCP() and png_set_rows() to avoid prematurely freeing data.
Add checks in png_set_text() for NULL members of the input text structure.
Removed superfluous prototype for png_set_itxt from png.h
Removed "else" from pngread.c, after png_error(), and changed "0" to "length".
Changed several png_errors about malformed ancillary chunks to png_warnings.
Added png_pass-* arrays to pnggccrd.c when PNG_USE_LOCAL_ARRAYS is defined.
Relocated paragraph about png_set_background() in libpng.3/libpng.txt
and other revisions (Matthias Benckmann)
Relocated info_ptr->free_me to restore binary compatibility with libpng-1.0.5
(breaks compatibility with libpng-1.0.6).
Relocated info_ptr->free_me, png_ptr->free_me, and other info_ptr and
png_ptr members to restore binary compatibility with libpng-1.0.5
(breaks compatibility with libpng-1.0.6).
Rearranged some members at the end of png_info and png_struct, to put
unknown_chunks_num and free_me within the original size of the png_structs
and free_me, png_read_user_fn, and png_free_fn within the original png_info,
because some old applications allocate the structs directly instead of
using png_create_*().
Added documentation of user memory functions in libpng.txt/libpng.3
Modified png_read_png so that it will use user_allocated row_pointers
if present, unless free_me directs that it be freed, and added description
of the use of png_set_rows() and png_get_rows() in libpng.txt/libpng.3.
Added PNG_LEGACY_SUPPORTED macro, and #ifdef out all new (since version
1.00) members of png_struct and png_info, to regain binary compatibility
when you define this macro. Capabilities lost in this event
are user transforms (new in version 1.0.0),the user transform pointer
(new in version 1.0.2), rgb_to_gray (new in 1.0.5), iCCP, sCAL, sPLT,
the high-level interface, and unknown chunks support (all new in 1.0.6).
This was necessary because of old applications that allocate the structs
directly as authors were instructed to do in libpng-0.88 and earlier,
instead of using png_create_*().
Added makefile.intel and updated makefile.watcom (Pawel Mrochen)
Overloaded png_read_init() and png_write_init() with macros that convert
calls to png_read_init_2() or png_write_init_2() that check the version
and structure sizes.
Made PNG_NO_ITXT_SUPPORTED the default setting, to avoid memory overrun
when old applications fill the info_ptr->text structure directly.
Added PNGAPI macro, and added it to the definitions of all exported functions.
Relocated version macro definitions ahead of the includes of zlib.h and
pngconf.h in png.h.
Made PNG_NO_CONSOLE_IO the default condition when PNG_BUILD_DLL is defined.
Use MSC _RPTn debugging instead of fprintf if _MSC_VER is defined.
Added png_access_version_number() function.
Check for mask&PNG_FREE_CHNK (for TEXT, SCAL, PCAL) in png_free_data().
Expanded libpng.3/libpng.txt information about png_data_freer().
Changed pnggccrd.c and pngvcrd.c to handle bad adaptive filter types as
warnings instead of errors, as pngrutil.c does.
Set the PNG_INFO_IDAT valid flag in png_set_rows() so png_write_png()
will actually write IDATs.
Made the default PNG_USE_LOCAL_ARRAYS depend on PNG_DLL instead of WIN32.
Make png_free_data() ignore its final parameter when freeing data that can
have multiple instances (text, sPLT, unknowns).
Removed info_ptr->valid tests from png_free_data(), as in version 1.0.5.
Added png_set_invalid() function.
Fixed incorrect illustrations of png_destroy_write_struct() in example.c.
Revised the deliberately erroneous Linux setjmp code in pngconf.h to produce
fewer error messages.
Set each pointer to NULL after freeing it in png_free_data().
Worked around a problem in pngconf.h; AIX's strings.h defines an "index"
macro that conflicts with libpng's png_color_16.index. (Dimitri Papadapoulos)
Added PNG_NO_POINTER_INDEXING macro to use array-indexing instead of pointer
indexing in pngrutil.c and pngwutil.c to accommodate a buggy compiler.
Added a check for overlength PLTE chunk in pngrutil.c.
Added PNG_NO_POINTER_INDEXING macro to use array-indexing instead of pointer
indexing in pngrutil.c and pngwutil.c to accommodate a buggy compiler.
Added a warning in png_decompress_chunk() when it runs out of data.
Revised the copyright/disclaimer/license notice.
Corrected the definition of PNG_TRANSFORM_INVERT_ALPHA (0x0400 not 0x0200)
Added PNG_USE_DLL macro.
Added "msvc" and contrib/msvctest directories with MSVC++ project files
(Simon-Pierre Cadieux) and contrib/visupng directory (Willem van Schaik).
Removed leading underscores from "_PNG_H" and "_PNG_SAVE_BSD_SOURCE" macros.
Fixed bugs in pngwrite.c and pngwutil.c that prevented writing iCCP chunks.
Revised the definition of "trans_values" in libpng.3/libpng.txt
- Added contrib/pngsuite and contrib/pngminus (Willem van Schaik)
- Fixed a typo in the png_set_sRGB() function call in example.c (Jan Nijtmans)
- Further optimization and bugfix of pngvcrd.c
- Revised pngset.c so that it does not allocate or free memory in the user's
text_ptr structure.- Instead, it makes its own copy.
- Added code in pngwrite.c to free info_ptr->text[i].key to stop a memory leak.
- Created separate write_end_info_struct in pngtest.c for a more severe test.
- Moved PNG_FLAG_HAVE_CHUNK_HEADER, PNG_FLAG_BACKGROUND_IS_GRAY and
PNG_FLAG_WROTE_tIME from flags to mode.
- Added png_write_info_before_PLTE() function.
- Fixed some typecasting in contrib/gregbook/*.c
- Updated scripts/makevms.com (Martin Zinser)
- Moved png_get_header_version from png.h to png.c, to accomodate ansi2knr.
- Removed all global arrays (according to PNG_NO_GLOBAL_ARRAYS macro), to
accomodate making DLL's: Moved usr_png_ver from global variable to function
png_get_header_ver() in png.c.- Moved png_sig to png_sig_bytes in png.c and
eliminated use of png_sig in pngwutil.c.- Moved the various png_CHNK arrays
into local arrays.- Eliminated use of global png_pass arrays.- Declared the
png_CHNK and png_pass arrays to be "const".- Made the global arrays
available to applications when PNG_NO_GLOBAL_ARRAYS is not defined or
when PNG_USE_GLOBAL_ARRAYS is defined.- Made available to applications a
macro "PNG_USE_LOCAL_ARRAYS".
- Changed the PNG_sRGB_INTENT macros in png.h to be consistent with PNG-1.2.
- Change PNG_SRGB_INTENT to PNG_sRGB_INTENT in libpng.txt and libpng.3
- Added PNG_EXPORT_VAR macro to accommodate making DLL's.
- Refactored the inflate/deflate support to make adding new chunks with
trailing compressed parts easier in the future (Eric S. Raymond).
- Added iCCP, iTXt, sCAL, and sPLT support; added "lang", "lang_key", and
itxt_length" members to the png_text structure (Eric S. Raymond, Glenn R-P)
- Changed png_get_oFFs() and png_set_oFFs() to use signed rather than unsigned
offsets (Eric S. Raymond).
- Combined PNG_READ_cHNK_SUPPORTED and PNG_WRITE_cHNK_SUPPORTED macros into
PNG_cHNK_SUPPORTED and combined the three types of PNG_text_SUPPORTED
macros, leaving the separate macros also available.
- Removed comments on #endifs at the end of many short, non-nested #if-blocks.
- Changed makefile.solaris to issue a warning about potential problems when
the ucb "ld" is in the path ahead of the ccs "ld".
- Removed "- [date]" from the "synopsis" line in libpng.3 and libpngpf.3.
- Added code in pngwrite.c to work around a newly discovered zlib bug.
- Unknown chunk handling is now supported (Eric S. Raymond).
- Option to eliminate all floating point support was added.- Some new
fixed-point functions such as png_set_gAMA_fixed() were added.
- Added new type "png_fixed_point" for integers that hold float*100000 values
- Added many parentheses, e.g., "if (a && b & c)" becomes "if (a && (b & c))"
- Added png_handle_as_unknown()
- Added chunk_list and num_chunk_list members of png_ptr.
- Define png_get_int_32 when oFFs chunk is supported as well as when pCAL is.
- Added functions png_set_read_user_chunk_fn() and png_get_user_chunk_ptr()
for setting a callback function to handle unknown chunks and for
retrieving the associated user pointer (Glenn).
- Added png_free_data() function.
- Added high-level functions png_read_png() and png_write_png() (ESR).
- Renamed pngdll.mak to makefile.bd32
- Cosmetic changes in pngtest.c
- Fixed pngvcrd.c bug by pushing/popping registers in mmxsupport (Bruce Oberg)
- Revised makefile.gcmmx
- Fixed a bug in pngrtran.c that improperly expanded the background color.
- Return *num_text=0 from png_get_text() when appropriate, and fix
documentation of png_get_text() in libpng.txt/libpng.3.
- Added PNG_SETJMP_SUPPORTED, PNG_SETJMP_NOT_SUPPORTED, and PNG_ABORT() and
"png_jmpbuf()" macros to pngconf.h, to help people migrate to the new error
handler that's planned for the next libpng release, and changed example.c,
pngtest.c, and contrib programs to use this macro.
- Revised some of the DLL-export macros in pngconf.h (Greg Roelofs)
- Fixed some mistakes in the unused and undocumented INCH_CONVERSIONS functions
in pngget.c
- Updated makefile.linux and makefile.gccmmx to make directories conditionally.
- Increased precision of rgb_to_gray calculations from 8 to 15 bits and
added png_set_rgb_to_gray_fixed() function.
- Added makefile.bc32 (32-bit Borland C++, C mode)
- Updated references to the zlib home page, which has moved to
freesoftware.com.
- Corrected bugs in documentation regarding png_read_row() and png_write_row().
- Renamed makefile.borland,turboc3 back to makefile.bor,tc3 as in version
1.0.3, revised borland makefiles; added makefile.ibmvac3 and makefile.gcc
(Cosmin)
- Added makefile.sggcc (SGI IRIX with gcc)
(everything but ImageMagick, gs5, and xemacs20). The API hasn't changed
much, say the install instructions, but it isn't binary compatible--bump
shlib version to 1.0.