From fce5f51eb523e48eb2beca54690af75a726f6d0a Mon Sep 17 00:00:00 2001
From: Robin Watts <robin.watts@artifex.com>
Date: Thu, 15 Mar 2012 13:30:40 +0000
Subject: Bug 692911: Cope with over/undersize palette entries in pngs.

If entries are larger than they need to be, accept just the amount
we need. If not large enough, pad out with zeros.
---
 fitz/image_png.c | 31 +++++++++++++++++++++++++++----
 1 file changed, 27 insertions(+), 4 deletions(-)

(limited to 'fitz')

diff --git a/fitz/image_png.c b/fitz/image_png.c
index e2092c10..c846e156 100644
--- a/fitz/image_png.c
+++ b/fitz/image_png.c
@@ -283,8 +283,11 @@ png_read_plte(struct info *info, unsigned char *p, int size)
 	int n = size / 3;
 	int i;
 
-	if (n > 256 || n > (1 << info->depth))
-		fz_throw(info->ctx, "too many samples in palette");
+	if (n > 256)
+	{
+		fz_warn(info->ctx, "too many samples in palette");
+		n = 256;
+	}
 
 	for (i = 0; i < n; i++)
 	{
@@ -292,6 +295,17 @@ png_read_plte(struct info *info, unsigned char *p, int size)
 		info->palette[i * 4 + 1] = p[i * 3 + 1];
 		info->palette[i * 4 + 2] = p[i * 3 + 2];
 	}
+
+	/* Fill in any missing palette entries */
+	n = 1 << info->depth;
+	if (n > 256)
+		n = 256;
+	for (; i < n; i++)
+	{
+		info->palette[i * 4] = 0;
+		info->palette[i * 4 + 1] = 0;
+		info->palette[i * 4 + 2] = 0;
+	}
 }
 
 static void
@@ -303,10 +317,19 @@ png_read_trns(struct info *info, unsigned char *p, int size)
 
 	if (info->indexed)
 	{
-		if (size > 256 || size > (1 << info->depth))
-			fz_throw(info->ctx, "too many samples in transparency table");
+		if (size > 256)
+		{
+			fz_warn(info->ctx, "too many samples in transparency table");
+			size = 256;
+		}
 		for (i = 0; i < size; i++)
 			info->palette[i * 4 + 3] = p[i];
+		/* Fill in any missing entries */
+		size = (1 << info->depth);
+		if (size > 256)
+			size = 256;
+		for (; i < size; i++)
+			info->palette[i * 4 + 3] = 0;
 	}
 	else
 	{
-- 
cgit v1.2.3