From ea320dab8bc491c10b1584a6617378cecea9f4fa Mon Sep 17 00:00:00 2001 From: Matthieu Darbois Date: Tue, 6 Sep 2016 07:54:29 +0200 Subject: [PATCH 1/6] Add overflow check in opj_tcd_init_tile (#819) --- src/lib/openjp2/tcd.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c index b8cd3072..12da05ca 100644 --- a/src/lib/openjp2/tcd.c +++ b/src/lib/openjp2/tcd.c @@ -808,12 +808,22 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no, l_br_prc_y_end = opj_int_ceildivpow2(l_res->y1, (OPJ_INT32)l_pdy) << l_pdy; /*fprintf(stderr, "\t\t\tprc_x_start=%d, prc_y_start=%d, br_prc_x_end=%d, br_prc_y_end=%d \n", l_tl_prc_x_start, l_tl_prc_y_start, l_br_prc_x_end ,l_br_prc_y_end );*/ - l_res->pw = (l_res->x0 == l_res->x1) ? 0 : (OPJ_UINT32)((l_br_prc_x_end - l_tl_prc_x_start) >> l_pdx); - l_res->ph = (l_res->y0 == l_res->y1) ? 0 : (OPJ_UINT32)((l_br_prc_y_end - l_tl_prc_y_start) >> l_pdy); + l_res->pw = (l_res->x0 == l_res->x1) ? 0U : (OPJ_UINT32)((l_br_prc_x_end - l_tl_prc_x_start) >> l_pdx); + l_res->ph = (l_res->y0 == l_res->y1) ? 0U : (OPJ_UINT32)((l_br_prc_y_end - l_tl_prc_y_start) >> l_pdy); /*fprintf(stderr, "\t\t\tres_pw=%d, res_ph=%d\n", l_res->pw, l_res->ph );*/ - + + if ((l_res->pw != 0U) && ((((OPJ_UINT32)-1) / l_res->pw) < l_res->ph)) { + opj_event_msg(manager, EVT_ERROR, "Not enough memory for tile data\n"); + return OPJ_FALSE; + } l_nb_precincts = l_res->pw * l_res->ph; + + if ((((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof(opj_tcd_precinct_t)) < l_nb_precincts) { + opj_event_msg(manager, EVT_ERROR, "Not enough memory for tile data\n"); + return OPJ_FALSE; + } l_nb_precinct_size = l_nb_precincts * (OPJ_UINT32)sizeof(opj_tcd_precinct_t); + if (resno == 0) { tlcbgxstart = l_tl_prc_x_start; tlcbgystart = l_tl_prc_y_start; @@ -870,6 +880,7 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no, if (!l_band->precincts && (l_nb_precincts > 0U)) { l_band->precincts = (opj_tcd_precinct_t *) opj_malloc( /*3 * */ l_nb_precinct_size); if (! l_band->precincts) { + opj_event_msg(manager, EVT_ERROR, "Not enough memory to handle band precints\n"); return OPJ_FALSE; } /*fprintf(stderr, "\t\t\t\tAllocate precincts of a band (opj_tcd_precinct_t): %d\n",l_nb_precinct_size); */ From c16bc057ba3f125051c9966cf1f5b68a05681de4 Mon Sep 17 00:00:00 2001 From: trylab Date: Tue, 6 Sep 2016 13:55:49 +0800 Subject: [PATCH 2/6] Fix an integer overflow issue (#809) Prevent an integer overflow issue in function opj_pi_create_decode of pi.c. --- src/lib/openjp2/pi.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c index cffad668..36e2ff0c 100644 --- a/src/lib/openjp2/pi.c +++ b/src/lib/openjp2/pi.c @@ -1237,7 +1237,13 @@ opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image, l_current_pi = l_pi; /* memory allocation for include */ - l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16)); + /* prevent an integer overflow issue */ + l_current_pi->include = 00; + if (l_step_l <= (SIZE_MAX / (l_tcp->numlayers + 1U))) + { + l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16)); + } + if (!l_current_pi->include) { From 734d57d5f7842aa7c2c9f36d62131ab4d8bd6c87 Mon Sep 17 00:00:00 2001 From: Matthieu Darbois Date: Tue, 6 Sep 2016 22:33:26 +0200 Subject: [PATCH 3/6] fix incrementing of "l_tcp->m_nb_mcc_records" in opj_j2k_read_mcc (#820) --- src/lib/openjp2/j2k.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c index 01d1a4ff..1cff598c 100644 --- a/src/lib/openjp2/j2k.c +++ b/src/lib/openjp2/j2k.c @@ -5405,6 +5405,7 @@ static OPJ_BOOL opj_j2k_read_mcc ( opj_j2k_t *p_j2k, OPJ_UINT32 l_nb_collections; OPJ_UINT32 l_nb_comps; OPJ_UINT32 l_nb_bytes_by_comp; + OPJ_BOOL l_new_mcc = OPJ_FALSE; /* preconditions */ assert(p_header_data != 00); @@ -5466,6 +5467,7 @@ static OPJ_BOOL opj_j2k_read_mcc ( opj_j2k_t *p_j2k, memset(l_mcc_record,0,(l_tcp->m_nb_max_mcc_records-l_tcp->m_nb_mcc_records) * sizeof(opj_simple_mcc_decorrelation_data_t)); } l_mcc_record = l_tcp->m_mcc_records + l_tcp->m_nb_mcc_records; + l_new_mcc = OPJ_TRUE; } l_mcc_record->m_index = l_indix; @@ -5601,7 +5603,9 @@ static OPJ_BOOL opj_j2k_read_mcc ( opj_j2k_t *p_j2k, return OPJ_FALSE; } - ++l_tcp->m_nb_mcc_records; + if (l_new_mcc) { + ++l_tcp->m_nb_mcc_records; + } return OPJ_TRUE; } From 275aad4df8620660a9bd10c52b01f3c710481464 Mon Sep 17 00:00:00 2001 From: Matthieu Darbois Date: Tue, 6 Sep 2016 22:33:45 +0200 Subject: [PATCH 4/6] Update to libpng 1.6.25 (#821) --- thirdparty/libpng/LICENSE | 4 +-- thirdparty/libpng/png.c | 50 ++++++++++++++++++++++++----- thirdparty/libpng/png.h | 28 ++++++++++------- thirdparty/libpng/pngconf.h | 2 +- thirdparty/libpng/pnglibconf.h | 4 +-- thirdparty/libpng/pngmem.c | 2 +- thirdparty/libpng/pngpriv.h | 57 ++++++++++++++++++++++++++++++++-- thirdparty/libpng/pngrutil.c | 4 +-- 8 files changed, 121 insertions(+), 30 deletions(-) diff --git a/thirdparty/libpng/LICENSE b/thirdparty/libpng/LICENSE index d20f39e2..d48a293c 100644 --- a/thirdparty/libpng/LICENSE +++ b/thirdparty/libpng/LICENSE @@ -10,7 +10,7 @@ this sentence. This code is released under the libpng license. -libpng versions 1.0.7, July 1, 2000 through 1.6.24, August 4, 2016 are +libpng versions 1.0.7, July 1, 2000 through 1.6.25, September 1, 2016 are Copyright (c) 2000-2002, 2004, 2006-2016 Glenn Randers-Pehrson, are derived from libpng-1.0.6, and are distributed according to the same disclaimer and license as libpng-1.0.6 with the following individuals @@ -127,4 +127,4 @@ any encryption software. See the EAR, paragraphs 734.3(b)(3) and Glenn Randers-Pehrson glennrp at users.sourceforge.net -August 4, 2016 +September 1, 2016 diff --git a/thirdparty/libpng/png.c b/thirdparty/libpng/png.c index 0843ebbc..33e8c8f2 100644 --- a/thirdparty/libpng/png.c +++ b/thirdparty/libpng/png.c @@ -1,8 +1,8 @@ /* png.c - location for general purpose libpng functions * - * Last changed in libpng 1.6.24 [August 4, 2016] - * Copyright (c) 1998-2002,2004,2006-2015 Glenn Randers-Pehrson + * Last changed in libpng 1.6.25 [September 1, 2016] + * Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -14,7 +14,7 @@ #include "pngpriv.h" /* Generate a compiler error if there is an old png.h in the search path. */ -typedef png_libpng_version_1_6_24 Your_png_h_is_not_version_1_6_24; +typedef png_libpng_version_1_6_25 Your_png_h_is_not_version_1_6_25; /* Tells libpng that we have already handled the first "num_bytes" bytes * of the PNG file signature. If the PNG data is embedded into another @@ -775,14 +775,14 @@ png_get_copyright(png_const_structrp png_ptr) #else # ifdef __STDC__ return PNG_STRING_NEWLINE \ - "libpng version 1.6.24 - August 4, 2016" PNG_STRING_NEWLINE \ + "libpng version 1.6.25 - September 1, 2016" PNG_STRING_NEWLINE \ "Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson" \ PNG_STRING_NEWLINE \ "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \ "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \ PNG_STRING_NEWLINE; # else - return "libpng version 1.6.24 - August 4, 2016\ + return "libpng version 1.6.25 - September 1, 2016\ Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson\ Copyright (c) 1996-1997 Andreas Dilger\ Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc."; @@ -1931,8 +1931,8 @@ png_colorspace_set_sRGB(png_const_structrp png_ptr, png_colorspacerp colorspace, static const png_byte D50_nCIEXYZ[12] = { 0x00, 0x00, 0xf6, 0xd6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d }; -int /* PRIVATE */ -png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace, +static int /* bool */ +icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace, png_const_charp name, png_uint_32 profile_length) { if (profile_length < 132) @@ -1942,6 +1942,40 @@ png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace, return 1; } +#ifdef PNG_READ_iCCP_SUPPORTED +int /* PRIVATE */ +png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace, + png_const_charp name, png_uint_32 profile_length) +{ + if (!icc_check_length(png_ptr, colorspace, name, profile_length)) + return 0; + + /* This needs to be here because the 'normal' check is in + * png_decompress_chunk, yet this happens after the attempt to + * png_malloc_base the required data. We only need this on read; on write + * the caller supplies the profile buffer so libpng doesn't allocate it. See + * the call to icc_check_length below (the write case). + */ +# ifdef PNG_SET_USER_LIMITS_SUPPORTED + else if (png_ptr->user_chunk_malloc_max > 0 && + png_ptr->user_chunk_malloc_max < profile_length) + return png_icc_profile_error(png_ptr, colorspace, name, profile_length, + "exceeds application limits"); +# elif PNG_USER_CHUNK_MALLOC_MAX > 0 + else if (PNG_USER_CHUNK_MALLOC_MAX < profile_length) + return png_icc_profile_error(png_ptr, colorspace, name, profile_length, + "exceeds libpng limits"); +# else /* !SET_USER_LIMITS */ + /* This will get compiled out on all 32-bit and better systems. */ + else if (PNG_SIZE_MAX < profile_length) + return png_icc_profile_error(png_ptr, colorspace, name, profile_length, + "exceeds system limits"); +# endif /* !SET_USER_LIMITS */ + + return 1; +} +#endif /* READ_iCCP */ + int /* PRIVATE */ png_icc_check_header(png_const_structrp png_ptr, png_colorspacerp colorspace, png_const_charp name, png_uint_32 profile_length, @@ -2377,7 +2411,7 @@ png_colorspace_set_ICC(png_const_structrp png_ptr, png_colorspacerp colorspace, if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0) return 0; - if (png_icc_check_length(png_ptr, colorspace, name, profile_length) != 0 && + if (icc_check_length(png_ptr, colorspace, name, profile_length) != 0 && png_icc_check_header(png_ptr, colorspace, name, profile_length, profile, color_type) != 0 && png_icc_check_tag_table(png_ptr, colorspace, name, profile_length, diff --git a/thirdparty/libpng/png.h b/thirdparty/libpng/png.h index ebfb3dd0..e1f59c31 100644 --- a/thirdparty/libpng/png.h +++ b/thirdparty/libpng/png.h @@ -1,7 +1,7 @@ /* png.h - header file for PNG reference library * - * libpng version 1.6.24, August 4, 2016 + * libpng version 1.6.25, September 1, 2016 * * Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) @@ -12,7 +12,7 @@ * Authors and maintainers: * libpng versions 0.71, May 1995, through 0.88, January 1996: Guy Schalnat * libpng versions 0.89, June 1996, through 0.96, May 1997: Andreas Dilger - * libpng versions 0.97, January 1998, through 1.6.24, August 4, 2016: + * libpng versions 0.97, January 1998, through 1.6.25, September 1, 2016: * Glenn Randers-Pehrson. * See also "Contributing Authors", below. */ @@ -29,7 +29,7 @@ * files that are distributed with libpng have other copyright owners and * are released under other open source licenses. * - * libpng versions 1.0.7, July 1, 2000 through 1.6.24, August 4, 2016 are + * libpng versions 1.0.7, July 1, 2000 through 1.6.25, September 1, 2016 are * Copyright (c) 2000-2002, 2004, 2006-2016 Glenn Randers-Pehrson, are * derived from libpng-1.0.6, and are distributed according to the same * disclaimer and license as libpng-1.0.6 with the following individuals @@ -41,6 +41,7 @@ * Cosmin Truta * Gilles Vollant * James Yu + * Mandar Sahastrabuddhe * * and with the following additions to the disclaimer: * @@ -217,7 +218,7 @@ * ... * 1.5.27 15 10527 15.so.15.27[.0] * ... - * 1.6.24 16 10624 16.so.16.24[.0] + * 1.6.25 16 10625 16.so.16.25[.0] * * Henceforth the source version will match the shared-library major * and minor numbers; the shared-library major version number will be @@ -245,13 +246,13 @@ * Y2K compliance in libpng: * ========================= * - * August 4, 2016 + * September 1, 2016 * * Since the PNG Development group is an ad-hoc body, we can't make * an official declaration. * * This is your unofficial assurance that libpng from version 0.71 and - * upward through 1.6.24 are Y2K compliant. It is my belief that + * upward through 1.6.25 are Y2K compliant. It is my belief that * earlier versions were also Y2K compliant. * * Libpng only has two year fields. One is a 2-byte unsigned integer @@ -313,8 +314,8 @@ */ /* Version information for png.h - this should match the version in png.c */ -#define PNG_LIBPNG_VER_STRING "1.6.24" -#define PNG_HEADER_VERSION_STRING " libpng version 1.6.24 - August 4, 2016\n" +#define PNG_LIBPNG_VER_STRING "1.6.25" +#define PNG_HEADER_VERSION_STRING " libpng version 1.6.25 - September 1, 2016\n" #define PNG_LIBPNG_VER_SONUM 16 #define PNG_LIBPNG_VER_DLLNUM 16 @@ -322,7 +323,7 @@ /* These should match the first 3 components of PNG_LIBPNG_VER_STRING: */ #define PNG_LIBPNG_VER_MAJOR 1 #define PNG_LIBPNG_VER_MINOR 6 -#define PNG_LIBPNG_VER_RELEASE 24 +#define PNG_LIBPNG_VER_RELEASE 25 /* This should match the numeric part of the final component of * PNG_LIBPNG_VER_STRING, omitting any leading zero: @@ -353,7 +354,7 @@ * version 1.0.0 was mis-numbered 100 instead of 10000). From * version 1.0.1 it's xxyyzz, where x=major, y=minor, z=release */ -#define PNG_LIBPNG_VER 10624 /* 1.6.24 */ +#define PNG_LIBPNG_VER 10625 /* 1.6.25 */ /* Library configuration: these options cannot be changed after * the library has been built. @@ -463,7 +464,7 @@ extern "C" { /* This triggers a compiler error in png.c, if png.c and png.h * do not agree upon the version number. */ -typedef char* png_libpng_version_1_6_24; +typedef char* png_libpng_version_1_6_25; /* Basic control structions. Read libpng-manual.txt or libpng.3 for more info. * @@ -3226,7 +3227,10 @@ PNG_EXPORT(245, int, png_image_write_to_memory, (png_imagep image, void *memory, #endif #define PNG_MAXIMUM_INFLATE_WINDOW 2 /* SOFTWARE: force maximum window */ #define PNG_SKIP_sRGB_CHECK_PROFILE 4 /* SOFTWARE: Check ICC profile for sRGB */ -#define PNG_OPTION_NEXT 6 /* Next option - numbers must be even */ +#ifdef PNG_MIPS_MSA_API_SUPPORTED +# define PNG_MIPS_MSA 6 /* HARDWARE: MIPS Msa SIMD instructions supported */ +#endif +#define PNG_OPTION_NEXT 8 /* Next option - numbers must be even */ /* Return values: NOTE: there are four values and 'off' is *not* zero */ #define PNG_OPTION_UNSET 0 /* Unset - defaults to off */ diff --git a/thirdparty/libpng/pngconf.h b/thirdparty/libpng/pngconf.h index 9da691db..08b42396 100644 --- a/thirdparty/libpng/pngconf.h +++ b/thirdparty/libpng/pngconf.h @@ -1,7 +1,7 @@ /* pngconf.h - machine configurable file for libpng * - * libpng version 1.6.24, August 4, 2016 + * libpng version 1.6.25, September 1, 2016 * * Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) diff --git a/thirdparty/libpng/pnglibconf.h b/thirdparty/libpng/pnglibconf.h index d91d9f41..d7d21b2d 100644 --- a/thirdparty/libpng/pnglibconf.h +++ b/thirdparty/libpng/pnglibconf.h @@ -1,8 +1,8 @@ -/* libpng 1.6.24 STANDARD API DEFINITION */ +/* libpng 1.6.25 STANDARD API DEFINITION */ /* pnglibconf.h - library build configuration */ -/* Libpng version 1.6.24 - August 4, 2016 */ +/* Libpng version 1.6.25 - September 1, 2016 */ /* Copyright (c) 1998-2015 Glenn Randers-Pehrson */ diff --git a/thirdparty/libpng/pngmem.c b/thirdparty/libpng/pngmem.c index 6033bf2f..7053ec96 100644 --- a/thirdparty/libpng/pngmem.c +++ b/thirdparty/libpng/pngmem.c @@ -1,7 +1,7 @@ /* pngmem.c - stub functions for memory allocation * - * Last changed in libpng 1.6.24 [August 4, 2016] + * Last changed in libpng 1.6.24 [August 4, 2016%] * Copyright (c) 1998-2002,2004,2006-2014,2016 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) diff --git a/thirdparty/libpng/pngpriv.h b/thirdparty/libpng/pngpriv.h index fe3355d8..bed1cabe 100644 --- a/thirdparty/libpng/pngpriv.h +++ b/thirdparty/libpng/pngpriv.h @@ -1,7 +1,7 @@ /* pngpriv.h - private declarations for use inside libpng * - * Last changed in libpng 1.6.24 [August 4, 2016] + * Last changed in libpng 1.6.25 [September 1, 2016] * Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) @@ -182,6 +182,35 @@ # endif #endif /* PNG_ARM_NEON_OPT > 0 */ +#ifndef PNG_MIPS_MSA_OPT +# if defined(__mips_msa) && (__mips_isa_rev >= 5) && defined(PNG_ALIGNED_MEMORY_SUPPORTED) +# define PNG_MIPS_MSA_OPT 2 +# else +# define PNG_MIPS_MSA_OPT 0 +# endif +#endif + +#if PNG_MIPS_MSA_OPT > 0 +# define PNG_FILTER_OPTIMIZATIONS png_init_filter_functions_msa +# ifndef PNG_MIPS_MSA_IMPLEMENTATION +# if defined(__mips_msa) +# if defined(__clang__) +# elif defined(__GNUC__) +# if __GNUC__ < 4 || (__GNUC__ == 4 && __GNUC_MINOR__ < 7) +# define PNG_MIPS_MSA_IMPLEMENTATION 2 +# endif /* no GNUC support */ +# endif /* __GNUC__ */ +# else /* !defined __mips_msa */ +# define PNG_MIPS_MSA_IMPLEMENTATION 2 +# endif /* __mips_msa */ +# endif /* !PNG_MIPS_MSA_IMPLEMENTATION */ + +# ifndef PNG_MIPS_MSA_IMPLEMENTATION +# define PNG_MIPS_MSA_IMPLEMENTATION 1 +# endif +#endif /* PNG_MIPS_MSA_OPT > 0 */ + + /* Is this a build of a DLL where compilation of the object modules requires * different preprocessor settings to those required for a simple library? If * so PNG_BUILD_DLL must be set. @@ -1191,6 +1220,23 @@ PNG_INTERNAL_FUNCTION(void,png_read_filter_row_paeth4_neon,(png_row_infop row_info, png_bytep row, png_const_bytep prev_row),PNG_EMPTY); #endif +#if PNG_MIPS_MSA_OPT > 0 +PNG_INTERNAL_FUNCTION(void,png_read_filter_row_up_msa,(png_row_infop row_info, + png_bytep row, png_const_bytep prev_row),PNG_EMPTY); +PNG_INTERNAL_FUNCTION(void,png_read_filter_row_sub3_msa,(png_row_infop + row_info, png_bytep row, png_const_bytep prev_row),PNG_EMPTY); +PNG_INTERNAL_FUNCTION(void,png_read_filter_row_sub4_msa,(png_row_infop + row_info, png_bytep row, png_const_bytep prev_row),PNG_EMPTY); +PNG_INTERNAL_FUNCTION(void,png_read_filter_row_avg3_msa,(png_row_infop + row_info, png_bytep row, png_const_bytep prev_row),PNG_EMPTY); +PNG_INTERNAL_FUNCTION(void,png_read_filter_row_avg4_msa,(png_row_infop + row_info, png_bytep row, png_const_bytep prev_row),PNG_EMPTY); +PNG_INTERNAL_FUNCTION(void,png_read_filter_row_paeth3_msa,(png_row_infop + row_info, png_bytep row, png_const_bytep prev_row),PNG_EMPTY); +PNG_INTERNAL_FUNCTION(void,png_read_filter_row_paeth4_msa,(png_row_infop + row_info, png_bytep row, png_const_bytep prev_row),PNG_EMPTY); +#endif + /* Choose the best filter to use and filter the row data */ PNG_INTERNAL_FUNCTION(void,png_write_find_filter,(png_structrp png_ptr, png_row_infop row_info),PNG_EMPTY); @@ -1494,9 +1540,11 @@ PNG_INTERNAL_FUNCTION(int,png_colorspace_set_ICC,(png_const_structrp png_ptr, /* The 'name' is used for information only */ /* Routines for checking parts of an ICC profile. */ +#ifdef PNG_READ_iCCP_SUPPORTED PNG_INTERNAL_FUNCTION(int,png_icc_check_length,(png_const_structrp png_ptr, png_colorspacerp colorspace, png_const_charp name, png_uint_32 profile_length), PNG_EMPTY); +#endif /* READ_iCCP */ PNG_INTERNAL_FUNCTION(int,png_icc_check_header,(png_const_structrp png_ptr, png_colorspacerp colorspace, png_const_charp name, png_uint_32 profile_length, @@ -1918,7 +1966,12 @@ PNG_INTERNAL_FUNCTION(void, PNG_FILTER_OPTIMIZATIONS, (png_structp png_ptr, # if PNG_ARM_NEON_OPT > 0 PNG_INTERNAL_FUNCTION(void, png_init_filter_functions_neon, (png_structp png_ptr, unsigned int bpp), PNG_EMPTY); -# endif +#endif + +#if PNG_MIPS_MSA_OPT > 0 +PNG_INTERNAL_FUNCTION(void, png_init_filter_functions_msa, + (png_structp png_ptr, unsigned int bpp), PNG_EMPTY); +#endif #endif PNG_INTERNAL_FUNCTION(png_uint_32, png_check_keyword, (png_structrp png_ptr, diff --git a/thirdparty/libpng/pngrutil.c b/thirdparty/libpng/pngrutil.c index 1c8a1794..3eaa635a 100644 --- a/thirdparty/libpng/pngrutil.c +++ b/thirdparty/libpng/pngrutil.c @@ -1,7 +1,7 @@ /* pngrutil.c - utilities to read a PNG file * - * Last changed in libpng 1.6.24 [August 4, 2016] + * Last changed in libpng 1.6.25 [September 1, 2016] * Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) @@ -461,6 +461,7 @@ png_zlib_inflate(png_structrp png_ptr, int flush) #endif /* Zlib >= 1.2.4 */ #ifdef PNG_READ_COMPRESSED_TEXT_SUPPORTED +#if defined(PNG_READ_zTXt_SUPPORTED) || defined (PNG_READ_iTXt_SUPPORTED) /* png_inflate now returns zlib error codes including Z_OK and Z_STREAM_END to * allow the caller to do multiple calls if required. If the 'finish' flag is * set Z_FINISH will be passed to the final inflate() call and Z_STREAM_END must @@ -590,7 +591,6 @@ png_inflate(png_structrp png_ptr, png_uint_32 owner, int finish, } } -#if defined(PNG_READ_zTXt_SUPPORTED) || defined (PNG_READ_iTXt_SUPPORTED) /* * Decompress trailing data in a chunk. The assumption is that read_buffer * points at an allocated area holding the contents of a chunk with a From acfb307df43a811cc56c035d0dc651dac8c9e7de Mon Sep 17 00:00:00 2001 From: Matthieu Darbois Date: Wed, 7 Sep 2016 00:00:21 +0200 Subject: [PATCH 5/6] Add test for PR 818 (#822) update uclouvain/openjpeg#818 --- tests/nonregression/md5refs.txt | 1 + tests/nonregression/test_suite.ctest.in | 2 ++ 2 files changed, 3 insertions(+) diff --git a/tests/nonregression/md5refs.txt b/tests/nonregression/md5refs.txt index ba3b7ad0..2492ed52 100644 --- a/tests/nonregression/md5refs.txt +++ b/tests/nonregression/md5refs.txt @@ -299,3 +299,4 @@ a190e10941e6145e69816c909f832c1a issue559-eci-091-CIELab.jp2_0.pgx f3081c8e9e9a175f223382a7443b480f issue559-eci-091-CIELab.jp2_2.pgx 3bf91c974abc17e520c6a5efa883a58a issue653-zero-unknownbox.jp2.png 8d7a866d29d5c68dc540b0f0011959a5 issue726.png +3bf91c974abc17e520c6a5efa883a58a issue818.png diff --git a/tests/nonregression/test_suite.ctest.in b/tests/nonregression/test_suite.ctest.in index d393e6c6..bbf1e77f 100644 --- a/tests/nonregression/test_suite.ctest.in +++ b/tests/nonregression/test_suite.ctest.in @@ -564,3 +564,5 @@ opj_decompress -i @INPUT_NR_PATH@/issue726.j2k -o @TEMP_PATH@/issue726.png # issue 775 !opj_decompress -i @INPUT_NR_PATH@/issue775.j2k -o @TEMP_PATH@/issue775.png !opj_decompress -i @INPUT_NR_PATH@/issue775-2.j2k -o @TEMP_PATH@/issue775-2.png +# issue 818 +opj_decompress -i @INPUT_NR_PATH@/issue818.jp2 -o @TEMP_PATH@/issue818.png From e078172b1c3f98d2219c37076b238fb759c751ea Mon Sep 17 00:00:00 2001 From: Matthieu Darbois Date: Thu, 8 Sep 2016 00:24:15 +0200 Subject: [PATCH 6/6] Add sanity check for tile coordinates (#823) Coordinates are casted from OPJ_UINT32 to OPJ_INT32 Add sanity check for negative values and upper bound becoming lower than lower bound. See also https://pdfium.googlesource.com/pdfium/+/b6befb2ed2485a3805cddea86dc7574510178ea9 --- src/lib/openjp2/tcd.c | 11 +++++++++++ tests/compare_dump_files.c | 14 +++++++------- tests/nonregression/test_suite.ctest.in | 3 +++ 3 files changed, 21 insertions(+), 7 deletions(-) diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c index 12da05ca..7a29c491 100644 --- a/src/lib/openjp2/tcd.c +++ b/src/lib/openjp2/tcd.c @@ -696,9 +696,20 @@ static INLINE OPJ_BOOL opj_tcd_init_tile(opj_tcd_t *p_tcd, OPJ_UINT32 p_tile_no, l_tx0 = l_cp->tx0 + p * l_cp->tdx; /* can't be greater than l_image->x1 so won't overflow */ l_tile->x0 = (OPJ_INT32)opj_uint_max(l_tx0, l_image->x0); l_tile->x1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_tx0, l_cp->tdx), l_image->x1); + /* all those OPJ_UINT32 are casted to OPJ_INT32, let's do some sanity check */ + if ((l_tile->x0 < 0) || (l_tile->x1 <= l_tile->x0)) { + opj_event_msg(manager, EVT_ERROR, "Tile X coordinates are not supported\n"); + return OPJ_FALSE; + } l_ty0 = l_cp->ty0 + q * l_cp->tdy; /* can't be greater than l_image->y1 so won't overflow */ l_tile->y0 = (OPJ_INT32)opj_uint_max(l_ty0, l_image->y0); l_tile->y1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_ty0, l_cp->tdy), l_image->y1); + /* all those OPJ_UINT32 are casted to OPJ_INT32, let's do some sanity check */ + if ((l_tile->y0 < 0) || (l_tile->y1 <= l_tile->y0)) { + opj_event_msg(manager, EVT_ERROR, "Tile Y coordinates are not supported\n"); + return OPJ_FALSE; + } + /* testcase 1888.pdf.asan.35.988 */ if (l_tccp->numresolutions == 0) { diff --git a/tests/compare_dump_files.c b/tests/compare_dump_files.c index 946c92a5..7d222708 100644 --- a/tests/compare_dump_files.c +++ b/tests/compare_dump_files.c @@ -118,10 +118,10 @@ int main(int argc, char **argv) test_cmp_parameters inParam; FILE *fbase=NULL, *ftest=NULL; int same = 0; - char lbase[256]; - char strbase[256]; - char ltest[256]; - char strtest[256]; + char lbase[512]; + char strbase[512]; + char ltest[512]; + char strtest[512]; if( parse_cmdline_cmp(argc, argv, &inParam) == 1 ) { @@ -154,9 +154,9 @@ int main(int argc, char **argv) while (fgets(lbase, sizeof(lbase), fbase) && fgets(ltest,sizeof(ltest),ftest)) { - int nbase = sscanf(lbase, "%255[^\r\n]", strbase); - int ntest = sscanf(ltest, "%255[^\r\n]", strtest); - assert( nbase != 255 && ntest != 255 ); + int nbase = sscanf(lbase, "%511[^\r\n]", strbase); + int ntest = sscanf(ltest, "%511[^\r\n]", strtest); + assert( nbase != 511 && ntest != 511 ); if( nbase != 1 || ntest != 1 ) { fprintf(stderr, "could not parse line from files\n" ); diff --git a/tests/nonregression/test_suite.ctest.in b/tests/nonregression/test_suite.ctest.in index bbf1e77f..2dfabfbc 100644 --- a/tests/nonregression/test_suite.ctest.in +++ b/tests/nonregression/test_suite.ctest.in @@ -566,3 +566,6 @@ opj_decompress -i @INPUT_NR_PATH@/issue726.j2k -o @TEMP_PATH@/issue726.png !opj_decompress -i @INPUT_NR_PATH@/issue775-2.j2k -o @TEMP_PATH@/issue775-2.png # issue 818 opj_decompress -i @INPUT_NR_PATH@/issue818.jp2 -o @TEMP_PATH@/issue818.png +# issue 823 (yes, not a typo, test image is issue822) +!opj_decompress -i @INPUT_NR_PATH@/issue822.jp2 -o @TEMP_PATH@/issue822.png +