From a0bb96c34e65378853ee518bac502842d26c2d1a Mon Sep 17 00:00:00 2001
From: Patrick Scott <phanna@android.com>
Date: Wed, 22 Jul 2009 11:50:02 -0400
Subject: Update libpng to 1.2.38 to patch a minor security issue.

---
 pngwio.c | 111 ++++++++++++++++++++++++++++++++++++++-------------------------
 1 file changed, 68 insertions(+), 43 deletions(-)

(limited to 'pngwio.c')

diff --git a/pngwio.c b/pngwio.c
index 52eb7c0..f77b2db 100644
--- a/pngwio.c
+++ b/pngwio.c
@@ -1,12 +1,15 @@
 
 /* pngwio.c - functions for data output
  *
- * Last changed in libpng 1.2.35 [February 14, 2009]
- * For conditions of distribution and use, see copyright notice in png.h
+ * Last changed in libpng 1.2.37 [June 4, 2009]
  * Copyright (c) 1998-2009 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
+ * This code is released under the libpng license.
+ * For conditions of distribution and use, see the disclaimer
+ * and license in png.h
+ *
  * This file provides a location for all output.  Users who need
  * special handling are expected to write functions that have the same
  * arguments as these and perform similar functions, but that possibly
@@ -20,10 +23,11 @@
 #ifdef PNG_WRITE_SUPPORTED
 
 /* Write the data to whatever output you are using.  The default routine
-   writes to a file pointer.  Note that this routine sometimes gets called
-   with very small lengths, so you should implement some kind of simple
-   buffering if you are using unbuffered writes.  This should never be asked
-   to write more than 64K on a 16 bit machine.  */
+ * writes to a file pointer.  Note that this routine sometimes gets called
+ * with very small lengths, so you should implement some kind of simple
+ * buffering if you are using unbuffered writes.  This should never be asked
+ * to write more than 64K on a 16 bit machine.
+ */
 
 void /* PRIVATE */
 png_write_data(png_structp png_ptr, png_bytep data, png_size_t length)
@@ -36,16 +40,18 @@ png_write_data(png_structp png_ptr, png_bytep data, png_size_t length)
 
 #if !defined(PNG_NO_STDIO)
 /* This is the function that does the actual writing of data.  If you are
-   not writing to a standard C stream, you should create a replacement
-   write_data function and use it at run time with png_set_write_fn(), rather
-   than changing the library. */
+ * not writing to a standard C stream, you should create a replacement
+ * write_data function and use it at run time with png_set_write_fn(), rather
+ * than changing the library.
+ */
 #ifndef USE_FAR_KEYWORD
 void PNGAPI
 png_default_write_data(png_structp png_ptr, png_bytep data, png_size_t length)
 {
    png_uint_32 check;
 
-   if (png_ptr == NULL) return;
+   if (png_ptr == NULL)
+      return;
 #if defined(_WIN32_WCE)
    if ( !WriteFile((HANDLE)(png_ptr->io_ptr), data, length, &check, NULL) )
       check = 0;
@@ -56,10 +62,10 @@ png_default_write_data(png_structp png_ptr, png_bytep data, png_size_t length)
       png_error(png_ptr, "Write Error");
 }
 #else
-/* this is the model-independent version. Since the standard I/O library
-   can't handle far buffers in the medium and small models, we have to copy
-   the data.
-*/
+/* This is the model-independent version. Since the standard I/O library
+ * can't handle far buffers in the medium and small models, we have to copy
+ * the data.
+ */
 
 #define NEAR_BUF_SIZE 1024
 #define MIN(a,b) (a <= b ? a : b)
@@ -71,7 +77,8 @@ png_default_write_data(png_structp png_ptr, png_bytep data, png_size_t length)
    png_byte *near_data;  /* Needs to be "png_byte *" instead of "png_bytep" */
    png_FILE_p io_ptr;
 
-   if (png_ptr == NULL) return;
+   if (png_ptr == NULL)
+      return;
    /* Check if data really is near. If so, use usual code. */
    near_data = (png_byte *)CVT_PTR_NOCHECK(data);
    io_ptr = (png_FILE_p)CVT_PTR(png_ptr->io_ptr);
@@ -93,7 +100,7 @@ png_default_write_data(png_structp png_ptr, png_bytep data, png_size_t length)
       do
       {
          written = MIN(NEAR_BUF_SIZE, remaining);
-         png_memcpy(buf, data, written); /* copy far buffer to near buffer */
+         png_memcpy(buf, data, written); /* Copy far buffer to near buffer */
 #if defined(_WIN32_WCE)
          if ( !WriteFile(io_ptr, buf, written, &err, NULL) )
             err = 0;
@@ -102,8 +109,10 @@ png_default_write_data(png_structp png_ptr, png_bytep data, png_size_t length)
 #endif
          if (err != written)
             break;
+
          else
             check += err;
+
          data += written;
          remaining -= written;
       }
@@ -117,8 +126,9 @@ png_default_write_data(png_structp png_ptr, png_bytep data, png_size_t length)
 #endif
 
 /* This function is called to output any data pending writing (normally
-   to disk).  After png_flush is called, there should be no data pending
-   writing in any buffers. */
+ * to disk).  After png_flush is called, there should be no data pending
+ * writing in any buffers.
+ */
 #if defined(PNG_WRITE_FLUSH_SUPPORTED)
 void /* PRIVATE */
 png_flush(png_structp png_ptr)
@@ -134,48 +144,58 @@ png_default_flush(png_structp png_ptr)
 #if !defined(_WIN32_WCE)
    png_FILE_p io_ptr;
 #endif
-   if (png_ptr == NULL) return;
+   if (png_ptr == NULL)
+      return;
 #if !defined(_WIN32_WCE)
    io_ptr = (png_FILE_p)CVT_PTR((png_ptr->io_ptr));
-   if (io_ptr != NULL && fileno(io_ptr) != -1)
-      fflush(io_ptr);
+   fflush(io_ptr);
 #endif
 }
 #endif
 #endif
 
 /* This function allows the application to supply new output functions for
-   libpng if standard C streams aren't being used.
-
-   This function takes as its arguments:
-   png_ptr       - pointer to a png output data structure
-   io_ptr        - pointer to user supplied structure containing info about
-                   the output functions.  May be NULL.
-   write_data_fn - pointer to a new output function that takes as its
-                   arguments a pointer to a png_struct, a pointer to
-                   data to be written, and a 32-bit unsigned int that is
-                   the number of bytes to be written.  The new write
-                   function should call png_error(png_ptr, "Error msg")
-                   to exit and output any fatal error messages.
-   flush_data_fn - pointer to a new flush function that takes as its
-                   arguments a pointer to a png_struct.  After a call to
-                   the flush function, there should be no data in any buffers
-                   or pending transmission.  If the output method doesn't do
-                   any buffering of ouput, a function prototype must still be
-                   supplied although it doesn't have to do anything.  If
-                   PNG_WRITE_FLUSH_SUPPORTED is not defined at libpng compile
-                   time, output_flush_fn will be ignored, although it must be
-                   supplied for compatibility. */
+ * libpng if standard C streams aren't being used.
+ *
+ * This function takes as its arguments:
+ * png_ptr       - pointer to a png output data structure
+ * io_ptr        - pointer to user supplied structure containing info about
+ *                 the output functions.  May be NULL.
+ * write_data_fn - pointer to a new output function that takes as its
+ *                 arguments a pointer to a png_struct, a pointer to
+ *                 data to be written, and a 32-bit unsigned int that is
+ *                 the number of bytes to be written.  The new write
+ *                 function should call png_error(png_ptr, "Error msg")
+ *                 to exit and output any fatal error messages.  May be
+ *                 NULL, in which case libpng's default function will
+ *                 be used.
+ * flush_data_fn - pointer to a new flush function that takes as its
+ *                 arguments a pointer to a png_struct.  After a call to
+ *                 the flush function, there should be no data in any buffers
+ *                 or pending transmission.  If the output method doesn't do
+ *                 any buffering of ouput, a function prototype must still be
+ *                 supplied although it doesn't have to do anything.  If
+ *                 PNG_WRITE_FLUSH_SUPPORTED is not defined at libpng compile
+ *                 time, output_flush_fn will be ignored, although it must be
+ *                 supplied for compatibility.  May be NULL, in which case
+ *                 libpng's default function will be used, if
+ *                 PNG_WRITE_FLUSH_SUPPORTED is defined.  This is not
+ *                 a good idea if io_ptr does not point to a standard
+ *                 *FILE structure.
+ */
 void PNGAPI
 png_set_write_fn(png_structp png_ptr, png_voidp io_ptr,
    png_rw_ptr write_data_fn, png_flush_ptr output_flush_fn)
 {
-   if (png_ptr == NULL) return;
+   if (png_ptr == NULL)
+      return;
+
    png_ptr->io_ptr = io_ptr;
 
 #if !defined(PNG_NO_STDIO)
    if (write_data_fn != NULL)
       png_ptr->write_data_fn = write_data_fn;
+
    else
       png_ptr->write_data_fn = png_default_write_data;
 #else
@@ -186,6 +206,7 @@ png_set_write_fn(png_structp png_ptr, png_voidp io_ptr,
 #if !defined(PNG_NO_STDIO)
    if (output_flush_fn != NULL)
       png_ptr->output_flush_fn = output_flush_fn;
+
    else
       png_ptr->output_flush_fn = png_default_flush;
 #else
@@ -212,9 +233,11 @@ void *png_far_to_near(png_structp png_ptr, png_voidp ptr, int check)
    void FAR *far_ptr;
    FP_OFF(near_ptr) = FP_OFF(ptr);
    far_ptr = (void FAR *)near_ptr;
+
    if (check != 0)
       if (FP_SEG(ptr) != FP_SEG(far_ptr))
          png_error(png_ptr, "segment lost in conversion");
+
    return(near_ptr);
 }
 #  else
@@ -224,9 +247,11 @@ void *png_far_to_near(png_structp png_ptr, png_voidp ptr, int check)
    void FAR *far_ptr;
    near_ptr = (void FAR *)ptr;
    far_ptr = (void FAR *)near_ptr;
+
    if (check != 0)
       if (far_ptr != ptr)
          png_error(png_ptr, "segment lost in conversion");
+
    return(near_ptr);
 }
 #   endif
-- 
cgit v1.1