From 94899f849e50a765bb26420f5c70d49002d6673f Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Mon, 26 Jan 2015 16:07:00 -0500 Subject: [PATCH] Bug 1117406 - Fix handling of out-of-range PNG tRNS values. r=jmuizelaar, a=abillings --- image/decoders/nsPNGDecoder.cpp | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/image/decoders/nsPNGDecoder.cpp b/image/decoders/nsPNGDecoder.cpp index acaa835..8e6bc2d 100644 --- a/image/decoders/nsPNGDecoder.cpp +++ b/image/decoders/nsPNGDecoder.cpp @@ -528,24 +528,26 @@ nsPNGDecoder::info_callback(png_structp png_ptr, png_infop info_ptr) png_set_expand(png_ptr); if (png_get_valid(png_ptr, info_ptr, PNG_INFO_tRNS)) { - int sample_max = (1 << bit_depth); png_color_16p trans_values; png_get_tRNS(png_ptr, info_ptr, &trans, &num_trans, &trans_values); /* libpng doesn't reject a tRNS chunk with out-of-range samples so we check it here to avoid setting up a useless opacity - channel or producing unexpected transparent pixels when using - libpng-1.2.19 through 1.2.26 (bug #428045) */ - if ((color_type == PNG_COLOR_TYPE_GRAY && - (int)trans_values->gray > sample_max) || - (color_type == PNG_COLOR_TYPE_RGB && - ((int)trans_values->red > sample_max || - (int)trans_values->green > sample_max || - (int)trans_values->blue > sample_max))) + channel or producing unexpected transparent pixels (bug #428045) */ + if (bit_depth < 16) { + png_uint_16 sample_max = (1 << bit_depth) - 1; + if ((color_type == PNG_COLOR_TYPE_GRAY && + trans_values->gray > sample_max) || + (color_type == PNG_COLOR_TYPE_RGB && + (trans_values->red > sample_max || + trans_values->green > sample_max || + trans_values->blue > sample_max))) { /* clear the tRNS valid flag and release tRNS memory */ png_free_data(png_ptr, info_ptr, PNG_FREE_TRNS, 0); + num_trans = 0; } - else + } + if (num_trans != 0) png_set_expand(png_ptr); } -- 2.2.1