From 6328fc1321662eacc137ab7b981a091480145d1a Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Sun, 7 Feb 2010 19:56:19 -0600 Subject: [PATCH] [legacy] Fixed incorrect test in new png_push_save_buffer() code. --- ANNOUNCE | 39 +++++++++++++++++++++------------------ CHANGES | 5 ++++- pngpread.c | 8 +++++--- 3 files changed, 30 insertions(+), 22 deletions(-) diff --git a/ANNOUNCE b/ANNOUNCE index 27a9f321..e7eee7e8 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,5 +1,5 @@ -Libpng 1.2.43beta03 - February 7, 2010 +Libpng 1.2.43beta04 - February 8, 2010 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -9,36 +9,36 @@ Files available for download: Source files with LF line endings (for Unix/Linux) and with a "configure" script - libpng-1.2.43beta03.tar.xz (LZMA-compressed, recommended) - libpng-1.2.43beta03.tar.gz - libpng-1.2.43beta03.tar.bz2 + libpng-1.2.43beta04.tar.xz (LZMA-compressed, recommended) + libpng-1.2.43beta04.tar.gz + libpng-1.2.43beta04.tar.bz2 Source files with LF line endings (for Unix/Linux) without the "configure" script - libpng-1.2.43beta03-no-config.tar.xz (LZMA-compressed, recommended) - libpng-1.2.43beta03-no-config.tar.gz - libpng-1.2.43beta03-no-config.tar.bz2 + libpng-1.2.43beta04-no-config.tar.xz (LZMA-compressed, recommended) + libpng-1.2.43beta04-no-config.tar.gz + libpng-1.2.43beta04-no-config.tar.bz2 Source files with CRLF line endings (for Windows), without the "configure" script - lp1243b03.zip - lp1243b03.7z - lp1243b03.tar.bz2 + lp1243b04.zip + lp1243b04.7z + lp1243b04.tar.bz2 Project files - libpng-1.2.43beta03-project-netware.zip - libpng-1.2.43beta03-project-wince.zip + libpng-1.2.43beta04-project-netware.zip + libpng-1.2.43beta04-project-wince.zip Other information: - libpng-1.2.43beta03-README.txt - libpng-1.2.43beta03-KNOWNBUGS.txt - libpng-1.2.43beta03-LICENSE.txt - libpng-1.2.43beta03-Y2K-compliance.txt - libpng-1.2.43beta03-[previous version]-diff.txt + libpng-1.2.43beta04-README.txt + libpng-1.2.43beta04-KNOWNBUGS.txt + libpng-1.2.43beta04-LICENSE.txt + libpng-1.2.43beta04-Y2K-compliance.txt + libpng-1.2.43beta04-[previous version]-diff.txt Changes since the last public release (1.2.42): @@ -57,7 +57,10 @@ version 1.2.43beta02 [February 1, 2010] version 1.2.43beta03 [February 6, 2010] Backported fast png_push_save_buffer() algorithm from libpng-1.4.1 -version 1.0.53rc01 and 1.2.43rc01 [February 7, 2010] +version 1.2.43beta04 [February 7, 2010] + Fixed incorrect test in new png_push_save_buffer() code. + +version 1.0.53rc01 and 1.2.43rc01 [February 8, 2010] No changes. Send comments/corrections/commendations to png-mng-implement at lists.sf.net diff --git a/CHANGES b/CHANGES index 236abf63..9b25a54d 100644 --- a/CHANGES +++ b/CHANGES @@ -2659,7 +2659,10 @@ version 1.2.43beta03 [February 6, 2010] Backported fast png_push_save_buffer() algorithm from libpng-1.4.1. Backported some cosmetic changes from libpng-1.4.1. -version 1.0.53rc01 and 1.2.43rc01 [February 7, 2010] +version 1.2.43beta04 [February 7, 2010] + Fixed incorrect test in new png_push_save_buffer() code. + +version 1.0.53rc01 and 1.2.43rc01 [February 8, 2010] No changes. Send comments/corrections/commendations to png-mng-implement at lists.sf.net diff --git a/pngpread.c b/pngpread.c index 62518966..2e7959a7 100644 --- a/pngpread.c +++ b/pngpread.c @@ -1,7 +1,7 @@ /* pngpread.c - read a png file in push mode * - * Last changed in libpng 1.2.43 [February 7, 2010] + * Last changed in libpng 1.2.43 [February 8, 2010] * Copyright (c) 1998-2010 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) @@ -694,8 +694,10 @@ png_push_save_buffer(png_structp png_ptr) png_size_t new_max; png_bytep old_buffer; - if (png_ptr->save_buffer_size == PNG_SIZE_MAX) - png_error(png_ptr, "Overflow of save_buffer"); + if (png_ptr->save_buffer_max == PNG_SIZE_MAX || + (png_ptr->save_buffer_size > PNG_SIZE_MAX - + png_ptr->current_buffer_size)) + png_error(png_ptr, "Overflow of save_buffer"); if (png_ptr->save_buffer_size > PNG_SIZE_MAX - (png_ptr->current_buffer_size +