d5cfb80689
images (and bump package to 1.2.5nb2). The following is taken directly from the png-implement mailing list... Date: Fri, 20 Dec 2002 11:26:31 -0500 From: Glenn Randers-Pehrson <glennrp@comcast.net> Reply-To: png-implement@ccrc.wustl.edu To: png-implement@ccrc.wustl.edu Subject: Re: [png-implement] bug in png_read_filler() with 16-bit samples At 01:01 AM 12/5/02 -0500, Glenn Randers-Pehrson wrote: >A bug has turned up in png_read_filler() with 16-bit samples. >The starting offsets for the loops are calculated incorrectly >which causes a buffer overrun beyond the beginning of the row >buffer. > >To fix, at lines 1968 and 1990, >change "row_width * 3" to "row_width * 6" >and at lines 1969 and 1991, >change "row_width;" to "row_width * 2;" This is only half of the story. Adding an alpha channel to 16-bit *grayscale* images with png_do_read_filler() exhibits the same bug, and pngcrush crashes if I try to do it. To fix, at lines 1892, 1893, 1910, and 1911 of pngrtran.c change "row_width" to "row_width * 2" Note that applications that do not add an alpha channel via png_set_filler(), and any applications that do, but reduce 16-bit samples to 8 bit via png_set_strip_16() are invulnerable to the bug. Pngcrush is the only application that I know of that uses png_set_filler() without also using png_set_strip_16(). Glenn -- Send the message body "help" to png-implement-request@ccrc.wustl.edu |
||
---|---|---|
.. | ||
patch-aa | ||
patch-ab | ||
patch-ac |