[libpng12] Ignore, with a warning, out-of-range value of num_trans

in png_set_tRNS().

ANNOUNCE

@@ -1,53 +1,50 @@
 
-Libpng 1.2.50 - July 10, 2012
+Libpng 1.2.51beta01 - December 10, 2012
 
-This is a public release of libpng, intended for use in production codes.
+This is not intended to be a public release.  It will be replaced
+within a few weeks by a public version or by another test version.
 
 Files available for download:
 
 Source files with LF line endings (for Unix/Linux) and with a
 "configure" script
 
-   libpng-1.2.50.tar.xz (LZMA-compressed, recommended)
-   libpng-1.2.50.tar.gz
-   libpng-1.2.50.tar.bz2
+   libpng-1.2.51beta01.tar.xz (LZMA-compressed, recommended)
+   libpng-1.2.51beta01.tar.gz
+   libpng-1.2.51beta01.tar.bz2
 
 Source files with LF line endings (for Unix/Linux) without the
 "configure" script
 
-   libpng-1.2.50-no-config.tar.xz (LZMA-compressed, recommended)
-   libpng-1.2.50-no-config.tar.gz
-   libpng-1.2.50-no-config.tar.bz2
+   libpng-1.2.51beta01-no-config.tar.xz (LZMA-compressed, recommended)
+   libpng-1.2.51beta01-no-config.tar.gz
+   libpng-1.2.51beta01-no-config.tar.bz2
 
 Source files with CRLF line endings (for Windows), without the
 "configure" script
 
-   lpng1250.zip
-   lpng1250.7z
-   lpng1250.tar.bz2
+   lp1251b01.zip
+   lp1251b01.7z
+   lp1251b01.tar.bz2
 
 Project files
 
-   libpng-1.2.50-project-netware.zip
-   libpng-1.2.50-project-wince.zip
+   libpng-1.2.51beta01-project-netware.zip
+   libpng-1.2.51beta01-project-wince.zip
 
 Other information:
 
-   libpng-1.2.50-README.txt
-   libpng-1.2.50-KNOWNBUGS.txt
-   libpng-1.2.50-LICENSE.txt
-   libpng-1.2.50-Y2K-compliance.txt
-   libpng-1.2.50-[previous version]-diff.txt
+   libpng-1.2.51beta01-README.txt
+   libpng-1.2.51beta01-KNOWNBUGS.txt
+   libpng-1.2.51beta01-LICENSE.txt
+   libpng-1.2.51beta01-Y2K-compliance.txt
+   libpng-1.2.51beta01-[previous version]-diff.txt
 
-Changes since the last public release (1.2.49):
+Changes since the last public release (1.2.50):
 
-version 1.2.50 [July 10, 2012]
+version 1.2.51beta01 [December 10, 2012]
+  Ignore, with a warning, out-of-range value of num_trans in png_set_tRNS().
 
-version 1.0.60 and 1.2.50 [July 8, 2012]
-  Changed "a+w" to "u+w" in Makefile.in to fix CVE-2012-3386.
-
-
-Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement
 to subscribe) or to glennrp at users.sourceforge.net

CHANGES

@@ -2771,12 +2771,16 @@ version 1.0.58 and 1.2.48 [March 8, 2012]
 
 version 1.0.59 and 1.2.49 [March 29, 2012]
   Revised png_set_text_2() to avoid potential memory corruption (fixes
-    CVE-2011-3048).
+    CVE-2011-3048, also known as CVE-2012-3425).
   Prevent PNG_EXPAND+PNG_SHIFT doing the shift twice.
 
 version 1.0.60 and 1.2.50 [July 9, 2012]
   Changed "a+w" to "u+w" in Makefile.in to fix CVE-2012-3386.
 
+version 1.2.51beta01 [December 10, 2012]
+  Rebuilt the configure scripts with autoconf-2.69
+  Ignore, with a warning, out-of-range value of num_trans in png_set_tRNS().
+
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement

pngset.c

@@ -1,7 +1,7 @@
 
 /* pngset.c - storage of image information into info struct
  *
- * Last changed in libpng 1.2.49 [March 29, 2012]
+ * Last changed in libpng 1.2.51 [December 10, 2012]
  * Copyright (c) 1998-2012 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -850,6 +850,12 @@ png_set_tRNS(png_structp png_ptr, png_infop info_ptr,
    if (png_ptr == NULL || info_ptr == NULL)
       return;
 
+   if (num_trans < 0 || num_trans > PNG_MAX_PALETTE_LENGTH)
+      {
+        png_warning(png_ptr, "Ignoring invalid num_trans value");
+        return;
+      }
+
    if (trans != NULL)
    {
        /* It may not actually be necessary to set png_ptr->trans here;