diff -ru4NwbB libpng-1.4.4/configure.ac libpng-1.4.5rc03/configure.ac --- libpng-1.4.4/configure.ac 2010-09-23 07:18:40.435665492 -0500 +++ libpng-1.4.5rc03/configure.ac 2010-12-03 09:55:33.254253107 -0600 @@ -15,20 +15,20 @@ dnl should not be necessary to regenerate configure if the time dnl stamps are correct AC_PREREQ(2.59) +AC_INIT([libpng], [1.4.5rc03], [png-mng-implement@lists.sourceforge.net]) +AM_INIT_AUTOMAKE +dnl stop configure from automagically running automake +AM_MAINTAINER_MODE + dnl Version number stuff here: PNGLIB_VERSION=1.4.5rc03 PNGLIB_MAJOR=1 -PNGLIB_MINOR=%RELEASE% +PNGLIB_MINOR=4 PNGLIB_RELEASE=%RELEASE% -AC_INIT([libpng], [1.4.5rc03], [png-mng-implement@lists.sourceforge.net]) -AM_INIT_AUTOMAKE -dnl stop configure from automagically running automake -AM_MAINTAINER_MODE - dnl End of version number stuff AC_CONFIG_SRCDIR([pngget.c]) AM_CONFIG_HEADER(config.h) diff -ru4NwbB libpng-1.4.4/contrib/pngminim/decoder/gather.sh libpng-1.4.5rc03/contrib/pngminim/decoder/gather.sh --- libpng-1.4.4/contrib/pngminim/decoder/gather.sh 2010-09-23 07:18:34.847974509 -0500 +++ libpng-1.4.5rc03/contrib/pngminim/decoder/gather.sh 2010-12-03 09:55:26.625945341 -0600 @@ -1,4 +1,6 @@ +#!/bin/sh + cp ../../pngminus/png2pnm.c pngm2pnm.c cp ../../../*.h . cp ../../../*.c . rm example.c pngtest.c pngpread.c pngw*.c diff -ru4NwbB libpng-1.4.4/contrib/pngminim/encoder/gather.sh libpng-1.4.5rc03/contrib/pngminim/encoder/gather.sh --- libpng-1.4.4/contrib/pngminim/encoder/gather.sh 2010-09-23 07:18:34.883308073 -0500 +++ libpng-1.4.5rc03/contrib/pngminim/encoder/gather.sh 2010-12-03 09:55:26.661169998 -0600 @@ -1,4 +1,6 @@ +#!/bin/sh + cp ../../pngminus/pnm2png.c pnm2pngm.c cp ../../../*.h . cp ../../../*.c . rm example.c pngtest.c pngr*.c pngpread.c diff -ru4NwbB libpng-1.4.4/contrib/pngminim/preader/gather.sh libpng-1.4.5rc03/contrib/pngminim/preader/gather.sh --- libpng-1.4.4/contrib/pngminim/preader/gather.sh 2010-09-23 07:18:34.918412952 -0500 +++ libpng-1.4.5rc03/contrib/pngminim/preader/gather.sh 2010-12-03 09:55:26.696328247 -0600 @@ -1,4 +1,6 @@ +#!/bin/sh + cp ../../gregbook/rpng2-x.c ../../gregbook/readpng2.[ch] . cp ../../gregbook/COPYING ../../gregbook/LICENSE . cp ../../../*.h . cp ../../../*.c . diff -ru4NwbB libpng-1.4.4/png.c libpng-1.4.5rc03/png.c --- libpng-1.4.4/png.c 2010-09-23 07:18:34.010735709 -0500 +++ libpng-1.4.5rc03/png.c 2010-12-03 09:55:25.472426983 -0600 @@ -18,12 +18,8 @@ /* Generate a compiler error if there is an old png.h in the search path. */ typedef version_%_VER_% Your_png_h_is_not_version_%_VER_%; -/* Version information for C files. This had better match the version - * string defined in png.h. - */ - /* Tells libpng that we have already handled the first "num_bytes" bytes * of the PNG file signature. If the PNG data is embedded into another * stream we can set num_bytes = 8 so that libpng will not attempt to read * or write any of the magic bytes before it starts on the IHDR. diff -ru4NwbB libpng-1.4.4/png.h libpng-1.4.5rc03/png.h --- libpng-1.4.4/png.h 2010-09-23 07:18:33.979216289 -0500 +++ libpng-1.4.5rc03/png.h 2010-12-03 09:55:25.439123236 -0600 @@ -145,9 +145,14 @@ * 1.4.3beta01-05 14 10403 14.so.14.3[.0] * 1.4.3rc01-03 14 10403 14.so.14.3[.0] * 1.4.3 14 10403 14.so.14.3[.0] * 1.4.4beta01-08 14 10404 14.so.14.4[.0] - * 1.4.4rc01-06 14 10404 14.so.14.4[.0] + * 1.4.4rc01-05 14 10404 14.so.14.4[.0] + * 1.4.4 14 10404 14.so.14.4[.0] + * 1.4.5beta01-04 14 10405 14.so.14.5[.0] + * 1.4.5rc01 14 10405 14.so.14.5[.0] + * 1.4.5beta05-07 14 10405 14.so.14.5[.0] + * 1.4.5rc02 14 10405 14.so.14.5[.0] * * Henceforth the source version will match the shared-library major * and minor numbers; the shared-library major version number will be * used for changes in backward compatibility, as it is intended. The @@ -2644,14 +2649,26 @@ (((png_uint_32)(*(buf)) << 24) + \ ((png_uint_32)(*((buf) + 1)) << 16) + \ ((png_uint_32)(*((buf) + 2)) << 8) + \ ((png_uint_32)(*((buf) + 3)))) + + /* The following definition introduces an API incompatibility (but not + * an ABI incompatibility) with libpng-1.4.0 through 1.4.4. Prior to + * libpng-1.4.5 the macro, which is used by default, returned (incorrectly) + * a (png_uint_32), while the function, if used instead, correctly returned + * a (png_uint_16). + * + * Libpng versions 1.0.x and 1.2.x only used a function so are not affected + * by this potential API incompatibility between macros. + */ # define png_get_uint_16(buf) \ - (((png_uint_32)(*(buf)) << 8) + \ - ((png_uint_32)(*((buf) + 1)))) + ((png_uint_16) \ + (((unsigned int)(*(buf)) << 8) + \ + ((unsigned int)(*((buf) + 1))))) + # define png_get_int_32(buf) \ ((png_int_32)((*(buf) & 0x80) \ - ? -((png_int_32)((png_get_uint_32(buf) ^ 0xffffffff)+1)) \ + ? -((png_int_32)((png_get_uint_32(buf) ^ 0xffffffffL) + 1)) \ : (png_int_32)png_get_uint_32(buf))) #else PNG_EXPORT(png_uint_32,png_get_uint_32) PNGARG((png_bytep buf)); PNG_EXPORT(png_uint_16,png_get_uint_16) PNGARG((png_bytep buf)); diff -ru4NwbB libpng-1.4.4/pngpread.c libpng-1.4.5rc03/pngpread.c --- libpng-1.4.4/pngpread.c 2010-09-23 07:18:34.039740864 -0500 +++ libpng-1.4.5rc03/pngpread.c 2010-12-03 09:55:25.502417896 -0600 @@ -1108,8 +1108,10 @@ } break; } + + default: case 6: { png_push_have_row(png_ptr, png_ptr->row_buf + 1); png_read_push_finish_row(png_ptr); diff -ru4NwbB libpng-1.4.4/pngpriv.h libpng-1.4.5rc03/pngpriv.h --- libpng-1.4.4/pngpriv.h 2010-09-23 07:18:33.995408230 -0500 +++ libpng-1.4.5rc03/pngpriv.h 2010-12-03 09:55:25.456646812 -0600 @@ -289,8 +289,11 @@ /* Write the "data" buffer to whatever output you are using */ PNG_EXTERN void png_write_data PNGARG((png_structp png_ptr, png_bytep data, png_size_t length)); +/* Read and check the PNG file signature */ +PNG_EXTERN void png_read_sig PNGARG((png_structp png_ptr, png_infop info_ptr)); + /* Read the chunk header (length + type name) */ PNG_EXTERN png_uint_32 png_read_chunk_header PNGARG((png_structp png_ptr)); /* Read data from whatever input you are using into the "data" buffer */ diff -ru4NwbB libpng-1.4.4/pngread.c libpng-1.4.5rc03/pngread.c --- libpng-1.4.4/pngread.c 2010-09-23 07:18:34.048584617 -0500 +++ libpng-1.4.5rc03/pngread.c 2010-12-03 09:55:25.511713911 -0600 @@ -1,8 +1,8 @@ /* pngread.c - read a PNG file * - * Last changed in libpng 1.4.1 [February 25, 2010] + * Last changed in libpng 1.4.5 [December 3, 2010] * Copyright (c) 1998-2010 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -217,32 +217,10 @@ if (png_ptr == NULL || info_ptr == NULL) return; - /* If we haven't checked all of the PNG signature bytes, do so now. */ - if (png_ptr->sig_bytes < 8) - { - png_size_t num_checked = png_ptr->sig_bytes, - num_to_check = 8 - num_checked; - -#ifdef PNG_IO_STATE_SUPPORTED - png_ptr->io_state = PNG_IO_READING | PNG_IO_SIGNATURE; -#endif - - png_read_data(png_ptr, &(info_ptr->signature[num_checked]), num_to_check); - png_ptr->sig_bytes = 8; - - if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check)) - { - if (num_checked < 4 && - png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4)) - png_error(png_ptr, "Not a PNG file"); - else - png_error(png_ptr, "PNG file corrupted by ASCII conversion"); - } - if (num_checked < 3) - png_ptr->mode |= PNG_HAVE_PNG_SIGNATURE; - } + /* Read and check the PNG file signature. */ + png_read_sig(png_ptr, info_ptr); for (;;) { PNG_IHDR; @@ -573,8 +556,10 @@ png_read_finish_row(png_ptr); return; } break; + + default: case 6: if (!(png_ptr->row_number & 1)) { png_read_finish_row(png_ptr); diff -ru4NwbB libpng-1.4.4/pngrio.c libpng-1.4.5rc03/pngrio.c --- libpng-1.4.4/pngrio.c 2010-09-23 07:18:34.053580443 -0500 +++ libpng-1.4.5rc03/pngrio.c 2010-12-03 09:55:25.516980433 -0600 @@ -1,8 +1,8 @@ /* pngrio.c - functions for data input * - * Last changed in libpng 1.4.1 [February 25, 2010] + * Last changed in libpng 1.4.5 [December 3, 2010] * Copyright (c) 1998-2010 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * diff -ru4NwbB libpng-1.4.4/pngrtran.c libpng-1.4.5rc03/pngrtran.c --- libpng-1.4.4/pngrtran.c 2010-09-23 07:18:34.068972033 -0500 +++ libpng-1.4.5rc03/pngrtran.c 2010-12-03 09:55:25.534104994 -0600 @@ -1,8 +1,8 @@ /* pngrtran.c - transforms the data in a row for PNG readers * - * Last changed in libpng 1.4.2 [May 6, 2010] + * Last changed in libpng 1.4.5 [December 3, 2010] * Copyright (c) 1998-2010 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -685,8 +685,13 @@ case 2: png_ptr->transformations |= PNG_RGB_TO_GRAY_WARN; break; case 3: png_ptr->transformations |= PNG_RGB_TO_GRAY_ERR; + break; + + default: + png_error(png_ptr, "invalid error action in png_set_rgb_to_gray"); + break; } if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) #ifdef PNG_READ_EXPAND_SUPPORTED png_ptr->transformations |= PNG_EXPAND; @@ -827,8 +832,10 @@ = png_ptr->trans_color.blue = png_ptr->trans_color.gray; } break; + default: + case 8: case 16: png_ptr->background.red = png_ptr->background.green @@ -1027,8 +1034,11 @@ g = 1.0 / (png_ptr->background_gamma); gs = 1.0 / (png_ptr->background_gamma * png_ptr->screen_gamma); break; + + default: + png_error(png_ptr, "invalid background gamma type"); } png_ptr->background_1.gray = (png_uint_16)(pow( (double)png_ptr->background.gray / m, g) * m + .5); @@ -1625,8 +1635,11 @@ dp--; } break; } + + default: + break; } row_info->bit_depth = 8; row_info->pixel_depth = (png_byte)(8 * row_info->channels); row_info->rowbytes = row_width * row_info->channels; @@ -1681,8 +1694,11 @@ return; switch (row_info->bit_depth) { + default: + break; + case 2: { png_bytep bp; png_uint_32 i; @@ -2797,8 +2813,11 @@ } } break; } + + default: + break; } break; } @@ -3229,8 +3248,11 @@ } } break; } + + default: + break; } if (row_info->color_type & PNG_COLOR_MASK_ALPHA) { @@ -3427,8 +3449,11 @@ } } break; } + + default: + break; } } } #endif @@ -3521,8 +3546,11 @@ dp--; } break; } + + default: + break; } row_info->bit_depth = 8; row_info->pixel_depth = 8; row_info->rowbytes = row_width; @@ -3671,8 +3699,11 @@ dp--; } break; } + + default: + break; } row_info->bit_depth = 8; row_info->pixel_depth = 8; diff -ru4NwbB libpng-1.4.4/pngrutil.c libpng-1.4.5rc03/pngrutil.c --- libpng-1.4.4/pngrutil.c 2010-09-23 07:18:34.082843266 -0500 +++ libpng-1.4.5rc03/pngrutil.c 2010-12-03 09:55:25.549338505 -0600 @@ -1,8 +1,8 @@ /* pngrutil.c - utilities to read a PNG file * - * Last changed in libpng 1.4.4 [August 26, 2010] + * Last changed in libpng 1.4.5 [December 3, 2010] * Copyright (c) 1998-2010 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -22,25 +22,31 @@ # define png_strtod(p,a,b) strtod(a,b) png_uint_32 PNGAPI png_get_uint_31(png_structp png_ptr, png_bytep buf) { - png_uint_32 i = png_get_uint_32(buf); - if (i > PNG_UINT_31_MAX) + png_uint_32 val = png_get_uint_32(buf); + + if (val > PNG_UINT_31_MAX) png_error(png_ptr, "PNG unsigned integer out of range"); - return (i); + return (val); } + #ifndef PNG_USE_READ_MACROS +/* The parentheses around "PNGAPI function_name" in the following three + * functions are necessary because they allow the macros to co-exist with + * these (unused but exported) functions. + */ + /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */ png_uint_32 (PNGAPI png_get_uint_32)(png_bytep buf) { - png_uint_32 i = - ((png_uint_32)(*(buf )) << 24) + - ((png_uint_32)(*(buf + 1)) << 16) + - ((png_uint_32)(*(buf + 2)) << 8) + - ((png_uint_32)(*(buf + 3)) ) ; + png_uint_32 uval = png_get_uint_32(buf); + if ((uval & 0x80000000L) == 0) /* non-negative */ + return uval; - return (i); + uval = (uval ^ 0xffffffffL) + 1; /* 2's complement: -x = ~x+1 */ + return -(png_int_32)uval; } /* Grab a signed 32-bit integer from a buffer in big-endian format. The * data is stored in the PNG file in two's complement format and there @@ -49,28 +55,67 @@ */ png_int_32 (PNGAPI png_get_int_32)(png_bytep buf) { - png_uint_32 u = png_get_uint_32(buf); - if ((u & 0x80000000) == 0) /* non-negative */ - return u; + png_uint_32 uval = png_get_uint_32(buf); + if ((uval & 0x80000000L) == 0) /* non-negative */ + return uval; - u = (u ^ 0xffffffff) + 1; /* 2's complement: -x = ~x+1 */ - return -(png_int_32)u; + uval = (uval ^ 0xffffffffL) + 1; /* 2's complement: -x = ~x+1 */ + return -(png_int_32)uval; } /* Grab an unsigned 16-bit integer from a buffer in big-endian format. */ png_uint_16 (PNGAPI png_get_uint_16)(png_bytep buf) { - png_uint_16 i = - ((png_uint_32)(*buf) << 8) + - ((png_uint_32)(*(buf + 1))); + /* ANSI-C requires an int value to accomodate at least 16 bits so this + * works and allows the compiler not to worry about possible narrowing + * on 32 bit systems. (Pre-ANSI systems did not make integers smaller + * than 16 bits either.) + */ + unsigned int val = + ((unsigned int)(*buf) << 8) + + ((unsigned int)(*(buf + 1))); - return (i); + return (png_uint_16)val; } #endif /* PNG_USE_READ_MACROS */ +/* Read and check the PNG file signature */ +void /* PRIVATE */ +png_read_sig(png_structp png_ptr, png_infop info_ptr) +{ + png_size_t num_checked, num_to_check; + + /* Exit if the user application does not expect a signature. */ + if (png_ptr->sig_bytes >= 8) + return; + + num_checked = png_ptr->sig_bytes; + num_to_check = 8 - num_checked; + +#ifdef PNG_IO_STATE_SUPPORTED + png_ptr->io_state = PNG_IO_READING | PNG_IO_SIGNATURE; +#endif + + /* The signature must be serialized in a single I/O call. */ + png_read_data(png_ptr, &(info_ptr->signature[num_checked]), num_to_check); + png_ptr->sig_bytes = 8; + + if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check)) + { + if (num_checked < 4 && + png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4)) + png_error(png_ptr, "Not a PNG file"); + + else + png_error(png_ptr, "PNG file corrupted by ASCII conversion"); + } + if (num_checked < 3) + png_ptr->mode |= PNG_HAVE_PNG_SIGNATURE; +} + /* Read the chunk header (length + type name). * Put the type name into png_ptr->chunk_name, and return the length. */ png_uint_32 /* PRIVATE */ @@ -79,34 +124,33 @@ png_byte buf[8]; png_uint_32 length; #ifdef PNG_IO_STATE_SUPPORTED - /* Inform the I/O callback that the chunk header is being read. - * PNG_IO_CHUNK_HDR requires a single I/O call. - */ png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_HDR; #endif - /* Read the length and the chunk name */ + /* Read the length and the chunk name. + * This must be performed in a single I/O call. + */ png_read_data(png_ptr, buf, 8); length = png_get_uint_31(png_ptr, buf); - /* Put the chunk name into png_ptr->chunk_name */ + /* Put the chunk name into png_ptr->chunk_name. */ png_memcpy(png_ptr->chunk_name, buf + 4, 4); png_debug2(0, "Reading %s chunk, length = %lu", png_ptr->chunk_name, length); - /* Reset the crc and run it over the chunk name */ + /* Reset the crc and run it over the chunk name. */ png_reset_crc(png_ptr); png_calculate_crc(png_ptr, png_ptr->chunk_name, 4); - /* Check to see if chunk name is valid */ + /* Check to see if chunk name is valid. */ png_check_chunk_name(png_ptr, png_ptr->chunk_name); #ifdef PNG_IO_STATE_SUPPORTED - /* Inform the I/O callback that chunk data will (possibly) be read. - * PNG_IO_CHUNK_DATA does NOT require a specific number of I/O calls. + /* It is unspecified how many I/O calls will be performed + * during the serialization of the chunk data. */ png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_DATA; #endif @@ -185,13 +234,12 @@ need_crc = 0; } #ifdef PNG_IO_STATE_SUPPORTED - /* Inform the I/O callback that the chunk CRC is being read */ - /* PNG_IO_CHUNK_CRC requires the I/O to be done at once */ png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_CRC; #endif + /* The chunk CRC must be serialized in a single I/O call. */ png_read_data(png_ptr, crc_bytes, 4); if (need_crc) { @@ -3108,19 +3161,12 @@ if (!(png_ptr->zstream.avail_in)) { while (!png_ptr->idat_size) { - png_byte chunk_length[4]; - png_crc_finish(png_ptr, 0); - - png_read_data(png_ptr, chunk_length, 4); - png_ptr->idat_size = png_get_uint_31(png_ptr, chunk_length); - png_reset_crc(png_ptr); - png_crc_read(png_ptr, png_ptr->chunk_name, 4); + png_ptr->idat_size = png_read_chunk_header(png_ptr); if (png_memcmp(png_ptr->chunk_name, png_IDAT, 4)) png_error(png_ptr, "Not enough image data"); - } png_ptr->zstream.avail_in = (uInt)png_ptr->zbuf_size; png_ptr->zstream.next_in = png_ptr->zbuf; if (png_ptr->zbuf_size > png_ptr->idat_size) diff -ru4NwbB libpng-1.4.4/pngset.c libpng-1.4.5rc03/pngset.c --- libpng-1.4.4/pngset.c 2010-09-23 07:18:34.091076135 -0500 +++ libpng-1.4.5rc03/pngset.c 2010-12-03 09:55:25.558229335 -0600 @@ -1,8 +1,8 @@ /* pngset.c - storage of image information into info struct * - * Last changed in libpng 1.4.1 [February 25, 2010] + * Last changed in libpng 1.4.5 [December 3, 2010] * Copyright (c) 1998-2010 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -689,8 +689,15 @@ if (text_ptr[i].key == NULL) continue; + if (text_ptr[i].compression < PNG_TEXT_COMPRESSION_NONE || + text_ptr[i].compression >= PNG_TEXT_COMPRESSION_LAST) + { + png_warning(png_ptr, "text compression mode is out of range"); + continue; + } + key_len = png_strlen(text_ptr[i].key); if (text_ptr[i].compression <= 0) { diff -ru4NwbB libpng-1.4.4/pngtest.c libpng-1.4.5rc03/pngtest.c --- libpng-1.4.4/pngtest.c 2010-09-23 07:18:34.100112193 -0500 +++ libpng-1.4.5rc03/pngtest.c 2010-12-03 09:55:25.568103063 -0600 @@ -1,8 +1,8 @@ /* pngtest.c - a simple test program to test libpng * - * Last changed in libpng 1.4.1 [February 25, 2010] + * Last changed in libpng 1.4.5 [December 3, 2010] * Copyright (c) 1998-2010 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -262,8 +262,50 @@ * read_data function and use it at run time with png_set_read_fn(), rather * than changing the library. */ +#ifdef PNG_IO_STATE_SUPPORTED +void +pngtest_check_io_state(png_structp png_ptr, png_size_t data_length, + png_uint_32 io_op); +void +pngtest_check_io_state(png_structp png_ptr, png_size_t data_length, + png_uint_32 io_op) +{ + png_uint_32 io_state = png_get_io_state(png_ptr); + int err = 0; + + /* Check if the current operation (reading / writing) is as expected. */ + if ((io_state & PNG_IO_MASK_OP) != io_op) + png_error(png_ptr, "Incorrect operation in I/O state"); + + /* Check if the buffer size specific to the current location + * (file signature / header / data / crc) is as expected. + */ + switch (io_state & PNG_IO_MASK_LOC) + { + case PNG_IO_SIGNATURE: + if (data_length > 8) + err = 1; + break; + case PNG_IO_CHUNK_HDR: + if (data_length != 8) + err = 1; + break; + case PNG_IO_CHUNK_DATA: + break; /* no restrictions here */ + case PNG_IO_CHUNK_CRC: + if (data_length != 4) + err = 1; + break; + default: + err = 1; /* uninitialized */ + } + if (err) + png_error(png_ptr, "Bad I/O state or buffer size"); +} +#endif + #ifndef USE_FAR_KEYWORD static void pngtest_read_data(png_structp png_ptr, png_bytep data, png_size_t length) { @@ -280,10 +322,14 @@ } if (check != length) { - png_error(png_ptr, "Read Error!"); + png_error(png_ptr, "Read Error"); } + +#ifdef PNG_IO_STATE_SUPPORTED + pngtest_check_io_state(png_ptr, length, PNG_IO_READING); +#endif } #else /* This is the model-independent version. Since the standard I/O library can't handle far buffers in the medium and small models, we have to copy @@ -327,9 +373,13 @@ } while (remaining != 0); } if (check != length) - png_error(png_ptr, "read Error"); + png_error(png_ptr, "Read Error"); + +#ifdef PNG_IO_STATE_SUPPORTED + pngtest_check_io_state(png_ptr, length, PNG_IO_READING); +#endif } #endif /* USE_FAR_KEYWORD */ #ifdef PNG_WRITE_FLUSH_SUPPORTED @@ -358,8 +408,12 @@ if (check != length) { png_error(png_ptr, "Write Error"); } + +#ifdef PNG_IO_STATE_SUPPORTED + pngtest_check_io_state(png_ptr, length, PNG_IO_WRITING); +#endif } #else /* This is the model-independent version. Since the standard I/O library can't handle far buffers in the medium and small models, we have to copy @@ -406,8 +460,12 @@ if (check != length) { png_error(png_ptr, "Write Error"); } + +#ifdef PNG_IO_STATE_SUPPORTED + pngtest_check_io_state(png_ptr, length, PNG_IO_WRITING); +#endif } #endif /* USE_FAR_KEYWORD */ /* This function is called when there is a warning, but the library thinks diff -ru4NwbB libpng-1.4.4/pngwtran.c libpng-1.4.5rc03/pngwtran.c --- libpng-1.4.4/pngwtran.c 2010-09-23 07:18:34.127486873 -0500 +++ libpng-1.4.5rc03/pngwtran.c 2010-12-03 09:55:25.596423856 -0600 @@ -194,8 +194,11 @@ if (shift != 4) *dp = (png_byte)v; break; } + + default: + break; } row_info->bit_depth = (png_byte)bit_depth; row_info->pixel_depth = (png_byte)(bit_depth * row_info->channels); row_info->rowbytes = PNG_ROWBYTES(row_info->pixel_depth, diff -ru4NwbB libpng-1.4.4/pngwutil.c libpng-1.4.5rc03/pngwutil.c --- libpng-1.4.4/pngwutil.c 2010-09-23 07:18:34.139198088 -0500 +++ libpng-1.4.5rc03/pngwutil.c 2010-12-03 09:55:25.609156020 -0600 @@ -245,12 +245,14 @@ * wouldn't cause a failure, just a slowdown due to swapping). */ /* Set up the compression buffers */ + /* TODO: the following cast hides a potential overflow problem. */ png_ptr->zstream.avail_in = (uInt)text_len; + /* NOTE: assume zlib doesn't overwrite the input */ png_ptr->zstream.next_in = (Bytef *)text; - png_ptr->zstream.avail_out = (uInt)png_ptr->zbuf_size; - png_ptr->zstream.next_out = (Bytef *)png_ptr->zbuf; + png_ptr->zstream.avail_out = png_ptr->zbuf_size; + png_ptr->zstream.next_out = png_ptr->zbuf; /* This is the same compression loop as in png_write_row() */ do {