aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/icecat-CVE-2015-0836-pt-07.patch
blob: 818d369b26e567a5cec466a63b22983d0be351b0 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
From 94899f849e50a765bb26420f5c70d49002d6673f Mon Sep 17 00:00:00 2001
From: Glenn Randers-Pehrson <glennrp+bmo@gmail.com>
Date: Mon, 26 Jan 2015 16:07:00 -0500
Subject: [PATCH] Bug 1117406 - Fix handling of out-of-range PNG tRNS values.
 r=jmuizelaar, a=abillings

---
 image/decoders/nsPNGDecoder.cpp | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/image/decoders/nsPNGDecoder.cpp b/image/decoders/nsPNGDecoder.cpp
index acaa835..8e6bc2d 100644
--- a/image/decoders/nsPNGDecoder.cpp
+++ b/image/decoders/nsPNGDecoder.cpp
@@ -528,24 +528,26 @@ nsPNGDecoder::info_callback(png_structp png_ptr, png_infop info_ptr)
     png_set_expand(png_ptr);
 
   if (png_get_valid(png_ptr, info_ptr, PNG_INFO_tRNS)) {
-    int sample_max = (1 << bit_depth);
     png_color_16p trans_values;
     png_get_tRNS(png_ptr, info_ptr, &trans, &num_trans, &trans_values);
     /* libpng doesn't reject a tRNS chunk with out-of-range samples
        so we check it here to avoid setting up a useless opacity
-       channel or producing unexpected transparent pixels when using
-       libpng-1.2.19 through 1.2.26 (bug #428045) */
-    if ((color_type == PNG_COLOR_TYPE_GRAY &&
-       (int)trans_values->gray > sample_max) ||
-       (color_type == PNG_COLOR_TYPE_RGB &&
-       ((int)trans_values->red > sample_max ||
-       (int)trans_values->green > sample_max ||
-       (int)trans_values->blue > sample_max)))
+       channel or producing unexpected transparent pixels (bug #428045) */
+    if (bit_depth < 16) {
+      png_uint_16 sample_max = (1 << bit_depth) - 1;
+      if ((color_type == PNG_COLOR_TYPE_GRAY &&
+           trans_values->gray > sample_max) ||
+           (color_type == PNG_COLOR_TYPE_RGB &&
+           (trans_values->red > sample_max ||
+           trans_values->green > sample_max ||
+           trans_values->blue > sample_max)))
       {
         /* clear the tRNS valid flag and release tRNS memory */
         png_free_data(png_ptr, info_ptr, PNG_FREE_TRNS, 0);
+        num_trans = 0;
       }
-    else
+    }
+    if (num_trans != 0)
       png_set_expand(png_ptr);
   }
 
-- 
2.2.1