[libpng16] Fixed the recently reported 1's complement security issue by

replacing the value that is illegal in the PNG spec, in both signed and
unsigned values, with 0. Illegal unsigned values (anything greater than or equal
to  0x80000000) can still pass through, but since these are not illegal
in ANSI-C (unlike 0x80000000 in the signed case) the checking that
occurs later can catch them (John Bowler).

ANNOUNCE

-Libpng 1.6.19beta02 - August 18, 2015
+Libpng 1.6.19beta02 - August 19, 2015
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -40,7 +40,7 @@ Version 1.6.19beta01 [July 30, 2015]
   Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c
   Fixed uninitialized variable in contrib/gregbook/rpng2-x.c
 
-Version 1.6.19beta02 [August 18, 2015]
+Version 1.6.19beta02 [August 19, 2015]
   Moved config.h.in~ from the "libpng_autotools_files" list to the
     "libpng_autotools_extra" list in autogen.sh because it was causing a
     false positive for missing files (bug report by Robert C. Seacord).
@@ -57,6 +57,12 @@ Version 1.6.19beta02 [August 18, 2015]
     high level of warnings).
   Safely convert num_bytes to a png_byte in png_set_sig_bytes() (Robert
     Seacord).
+  Fixed the recently reported 1's complement security issue by replacing
+    the value that is illegal in the PNG spec, in both signed and unsigned
+    values, with 0. Illegal unsigned values (anything greater than or equal
+    to  0x80000000) can still pass through, but since these are not illegal
+    in ANSI-C (unlike 0x80000000 in the signed case) the checking that
+    occurs later can catch them (John Bowler).
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

CHANGES

@@ -5320,7 +5320,7 @@ Version 1.6.19beta01 [July 30, 2015]
   Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c
   Fixed uninitialized variable in contrib/gregbook/rpng2-x.c
 
-Version 1.6.19beta02 [August 18, 2015]
+Version 1.6.19beta02 [August 19, 2015]
   Moved config.h.in~ from the "libpng_autotools_files" list to the
     "libpng_autotools_extra" list in autogen.sh because it was causing a
     false positive for missing files (bug report by Robert C. Seacord).
@@ -5337,6 +5337,12 @@ Version 1.6.19beta02 [August 18, 2015]
     high level of warnings).
   Safely convert num_bytes to a png_byte in png_set_sig_bytes() (Robert
     Seacord).
+  Fixed the recently reported 1's complement security issue by replacing
+    the value that is illegal in the PNG spec, in both signed and unsigned
+    values, with 0. Illegal unsigned values (anything greater than or equal
+    to  0x80000000) can still pass through, but since these are not illegal
+    in ANSI-C (unlike 0x80000000 in the signed case) the checking that
+    occurs later can catch them (John Bowler).
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

libpng-manual.txt

 libpng-manual.txt - A description on how to use and modify libpng
 
- libpng version 1.6.19beta02 - August 18, 2015
+ libpng version 1.6.19beta02 - August 19, 2015
  Updated and distributed by Glenn Randers-Pehrson
  <glennrp at users.sourceforge.net>
  Copyright (c) 1998-2015 Glenn Randers-Pehrson
@@ -11,7 +11,7 @@ libpng-manual.txt - A description on how to use and modify libpng
 
  Based on:
 
- libpng versions 0.97, January 1998, through 1.6.19beta02 - August 18, 2015
+ libpng versions 0.97, January 1998, through 1.6.19beta02 - August 19, 2015
  Updated and distributed by Glenn Randers-Pehrson
  Copyright (c) 1998-2015 Glenn Randers-Pehrson
 
@@ -5312,7 +5312,7 @@ Other rules can be inferred by inspecting the libpng source.
 
 XVI. Y2K Compliance in libpng
 
-August 18, 2015
+August 19, 2015
 
 Since the PNG Development group is an ad-hoc body, we can't make
 an official declaration.

libpng.3

-.TH LIBPNG 3 "August 18, 2015"
+.TH LIBPNG 3 "August 19, 2015"
 .SH NAME
 libpng \- Portable Network Graphics (PNG) Reference Library 1.6.19beta02
 .SH SYNOPSIS
@@ -508,7 +508,7 @@ Following is a copy of the libpng-manual.txt file that accompanies libpng.
 .SH LIBPNG.TXT
 libpng-manual.txt - A description on how to use and modify libpng
 
- libpng version 1.6.19beta02 - August 18, 2015
+ libpng version 1.6.19beta02 - August 19, 2015
  Updated and distributed by Glenn Randers-Pehrson
  <glennrp at users.sourceforge.net>
  Copyright (c) 1998-2015 Glenn Randers-Pehrson
@@ -519,7 +519,7 @@ libpng-manual.txt - A description on how to use and modify libpng
 
  Based on:
 
- libpng versions 0.97, January 1998, through 1.6.19beta02 - August 18, 2015
+ libpng versions 0.97, January 1998, through 1.6.19beta02 - August 19, 2015
  Updated and distributed by Glenn Randers-Pehrson
  Copyright (c) 1998-2015 Glenn Randers-Pehrson
 
@@ -5820,7 +5820,7 @@ Other rules can be inferred by inspecting the libpng source.
 
 .SH XVI. Y2K Compliance in libpng
 
-August 18, 2015
+August 19, 2015
 
 Since the PNG Development group is an ad-hoc body, we can't make
 an official declaration.
@@ -6141,7 +6141,7 @@ possible without all of you.
 
 Thanks to Frank J. T. Wojcik for helping with the documentation.
 
-Libpng version 1.6.19beta02 - August 18, 2015:
+Libpng version 1.6.19beta02 - August 19, 2015:
 Initially created in 1995 by Guy Eric Schalnat, then of Group 42, Inc.
 Currently maintained by Glenn Randers-Pehrson (glennrp at users.sourceforge.net).
 
@@ -6164,7 +6164,7 @@ this sentence.
 
 This code is released under the libpng license.
 
-libpng versions 1.0.7, July 1, 2000, through 1.6.19beta02, August 18, 2015, are
+libpng versions 1.0.7, July 1, 2000, through 1.6.19beta02, August 19, 2015, are
 Copyright (c) 2000-2002, 2004, 2006-2015 Glenn Randers-Pehrson, and are
 distributed according to the same disclaimer and license as libpng-1.0.6
 with the following individuals added to the list of Contributing Authors:
@@ -6258,7 +6258,7 @@ the additional disclaimers inserted at version 1.0.7.
 
 Glenn Randers-Pehrson
 glennrp at users.sourceforge.net
-August 18, 2015
+August 19, 2015
 
 .\" end of man page
 

png.c

@@ -774,13 +774,13 @@ png_get_copyright(png_const_structrp png_ptr)
 #else
 #  ifdef __STDC__
    return PNG_STRING_NEWLINE \
-      "libpng version 1.6.19beta02 - August 18, 2015" PNG_STRING_NEWLINE \
+      "libpng version 1.6.19beta02 - August 19, 2015" PNG_STRING_NEWLINE \
       "Copyright (c) 1998-2015 Glenn Randers-Pehrson" PNG_STRING_NEWLINE \
       "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
       "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
       PNG_STRING_NEWLINE;
 #  else
-   return "libpng version 1.6.19beta02 - August 18, 2015\
+   return "libpng version 1.6.19beta02 - August 19, 2015\
       Copyright (c) 1998-2015 Glenn Randers-Pehrson\
       Copyright (c) 1996-1997 Andreas Dilger\
       Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.";

png.h

 
 /* png.h - header file for PNG reference library
  *
- * libpng version 1.6.19beta02, August 18, 2015
+ * libpng version 1.6.19beta02, August 19, 2015
  *
  * Copyright (c) 1998-2015 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
@@ -12,7 +12,7 @@
  * Authors and maintainers:
  *   libpng versions 0.71, May 1995, through 0.88, January 1996: Guy Schalnat
  *   libpng versions 0.89, June 1996, through 0.96, May 1997: Andreas Dilger
- *   libpng versions 0.97, January 1998, through 1.6.19beta02, August 18, 2015: Glenn
+ *   libpng versions 0.97, January 1998, through 1.6.19beta02, August 19, 2015: Glenn
  *   See also "Contributing Authors", below.
  *
  * Note about libpng version numbers:
@@ -251,7 +251,7 @@
  *
  * This code is released under the libpng license.
  *
- * libpng versions 1.0.7, July 1, 2000, through 1.6.19beta02, August 18, 2015, are
+ * libpng versions 1.0.7, July 1, 2000, through 1.6.19beta02, August 19, 2015, are
  * Copyright (c) 2000-2002, 2004, 2006-2015 Glenn Randers-Pehrson, and are
  * distributed according to the same disclaimer and license as libpng-1.0.6
  * with the following individuals added to the list of Contributing Authors:
@@ -360,7 +360,7 @@
  * Y2K compliance in libpng:
  * =========================
  *
- *    August 18, 2015
+ *    August 19, 2015
  *
  *    Since the PNG Development group is an ad-hoc body, we can't make
  *    an official declaration.
@@ -430,7 +430,7 @@
 /* Version information for png.h - this should match the version in png.c */
 #define PNG_LIBPNG_VER_STRING "1.6.19beta02"
 #define PNG_HEADER_VERSION_STRING \
-     " libpng version 1.6.19beta02 - August 18, 2015\n"
+     " libpng version 1.6.19beta02 - August 19, 2015\n"
 
 #define PNG_LIBPNG_VER_SONUM   16
 #define PNG_LIBPNG_VER_DLLNUM  16
@@ -2724,7 +2724,7 @@ PNG_EXPORT(207, void, png_save_uint_16, (png_bytep buf, unsigned int i));
 
 #  define PNG_get_int_32(buf) \
      ((png_int_32)((*(buf) & 0x80) \
-      ? -((png_int_32)((png_get_uint_32(buf) ^ 0xffffffffL) + 1)) \
+      ? -((png_int_32)(((png_get_uint_32(buf)^0xffffffffU)+1U)&0x7fffffffU)) \
       : (png_int_32)png_get_uint_32(buf)))
 
    /* If PNG_PREFIX is defined the same thing as below happens in pnglibconf.h,

pngrutil.c

@@ -89,7 +89,13 @@ png_get_int_32)(png_const_bytep buf)
       return uval;
 
    uval = (uval ^ 0xffffffff) + 1;  /* 2's complement: -x = ~x+1 */
-   return -(png_int_32)uval;
+   if ((uval & 0x80000000) == 0) /* no overflow */
+       return -(png_int_32)uval;
+   /* The following has to be safe; this function only gets called on PNG data
+    * and if we get here that data is invalid.  0 is the most safe value and
+    * if not then an attacker would surely just generate a PNG with 0 instead.
+    */
+   return 0;
 }
 
 /* Grab an unsigned 16-bit integer from a buffer in big-endian format. */