Menu

#269 png_do_check_palette_indexes seems out of bounds

libpng_code
closed-fixed
Glenn Randers-Pehrson
None
5
2017-09-28
2017-08-28
Mick P.
No

I think the logic in this subroutine misses the first pixel in a row and reads beyond the last pixel.

png_bytep rp = png_ptr->row_buf + row_info->rowbytes;

  switch (row_info->bit_depth)
  {
     case 1:
     {
        /* in this case, all bytes must be 0 so we don't need
         * to unpack the pixels except for the rightmost one.
         */
        for (; rp > png_ptr->row_buf; rp--)

I lost a good chunk of a day on this. In any case, it's saying an index is larger than the palette. But scanning the image says otherwise. I think this is never been noticed because 256 sized palette can never fail this test. Since 255 is the largest 8 bit index.

Discussion

  • Mick P.

    Mick P. - 2017-08-28

    FYI: My problem had to do with signed data. >> was doing sign extension.

    See the following example that checks for palette overflow. It's either very counterintuitive or it's checking beyond the row and not checking the first pixel/index in the row.

     case 8:
     {
        for (; rp > png_ptr->row_buf; rp--)
        {
           if (*rp > png_ptr->num_palette_max)
              png_ptr->num_palette_max = (int) *rp;
        }

        break;
     }
     

  • Glenn Randers-Pehrson

    Glenn Randers-Pehrson - 2017-08-28

    I believe you're correct. Fixed in the GIT repos by subtracting 1:

    png_bytep rp = png_ptr->row_buf + row_info->rowbytes - 1;

     

    Last edit: Glenn Randers-Pehrson 2017-08-28

  • Glenn Randers-Pehrson

    Glenn Randers-Pehrson - 2017-08-31
    • status: open --> pending-accepted
    • assigned_to: Glenn Randers-Pehrson
     

  • Glenn Randers-Pehrson

    Glenn Randers-Pehrson - 2017-09-28
    • status: pending-accepted --> closed-fixed
     

Log in to post a comment.