From 85c6d089d7d0cd6492e794c1a3b89df27c358ae4 Mon Sep 17 00:00:00 2001 From: ache Date: Wed, 7 Jul 2004 10:33:28 +0000 Subject: In 16-bit samples case the starting offsets for the loops are calculated incorrectly which may cause a buffer overrun beyond the beginning of the row buffer. Submitted by: Robert Nagy --- graphics/png/Makefile | 4 ++-- graphics/png/files/patch-pngrtran.c | 46 +++++++++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+), 2 deletions(-) create mode 100644 graphics/png/files/patch-pngrtran.c (limited to 'graphics/png') diff --git a/graphics/png/Makefile b/graphics/png/Makefile index eacb963373da..d9a1c89c6b32 100644 --- a/graphics/png/Makefile +++ b/graphics/png/Makefile @@ -6,8 +6,8 @@ # PORTNAME= png -PORTVERSION= 1.2.5 -PORTREVISION= 5 +PORTVERSION= 1.2.5 +PORTREVISION= 6 CATEGORIES= graphics MASTER_SITES= http://www.libpng.org/pub/png/src/ \ ftp://swrinde.nde.swri.edu/pub/png/src/ \ diff --git a/graphics/png/files/patch-pngrtran.c b/graphics/png/files/patch-pngrtran.c new file mode 100644 index 000000000000..1a3a40279cd4 --- /dev/null +++ b/graphics/png/files/patch-pngrtran.c @@ -0,0 +1,46 @@ +--- pngrtran.c.orig Tue Jul 6 17:44:30 2004 ++++ pngrtran.c Tue Jul 6 17:46:22 2004 +@@ -1889,8 +1889,8 @@ png_do_read_filler(png_row_infop row_inf + /* This changes the data from GG to GGXX */ + if (flags & PNG_FLAG_FILLER_AFTER) + { +- png_bytep sp = row + (png_size_t)row_width; +- png_bytep dp = sp + (png_size_t)row_width; ++ png_bytep sp = row + (png_size_t)row_width * 2; ++ png_bytep dp = sp + (png_size_t)row_width * 2; + for (i = 1; i < row_width; i++) + { + *(--dp) = hi_filler; +@@ -1907,8 +1907,8 @@ png_do_read_filler(png_row_infop row_inf + /* This changes the data from GG to XXGG */ + else + { +- png_bytep sp = row + (png_size_t)row_width; +- png_bytep dp = sp + (png_size_t)row_width; ++ png_bytep sp = row + (png_size_t)row_width * 2; ++ png_bytep dp = sp + (png_size_t)row_width * 2; + for (i = 0; i < row_width; i++) + { + *(--dp) = *(--sp); +@@ -1965,8 +1965,8 @@ png_do_read_filler(png_row_infop row_inf + /* This changes the data from RRGGBB to RRGGBBXX */ + if (flags & PNG_FLAG_FILLER_AFTER) + { +- png_bytep sp = row + (png_size_t)row_width * 3; +- png_bytep dp = sp + (png_size_t)row_width; ++ png_bytep sp = row + (png_size_t)row_width * 6; ++ png_bytep dp = sp + (png_size_t)row_width * 2; + for (i = 1; i < row_width; i++) + { + *(--dp) = hi_filler; +@@ -1987,8 +1987,8 @@ png_do_read_filler(png_row_infop row_inf + /* This changes the data from RRGGBB to XXRRGGBB */ + else + { +- png_bytep sp = row + (png_size_t)row_width * 3; +- png_bytep dp = sp + (png_size_t)row_width; ++ png_bytep sp = row + (png_size_t)row_width * 6; ++ png_bytep dp = sp + (png_size_t)row_width * 2; + for (i = 0; i < row_width; i++) + { + *(--dp) = *(--sp); \ No newline at end of file -- cgit