1 files changed, 49 insertions, 36 deletions
diff --git a/plugins/FreeImage/Source/LibPNG/pngerror.c b/plugins/FreeImage/Source/LibPNG/pngerror.c
index 4a76644be2..9df97f583c 100644
--- a/plugins/FreeImage/Source/LibPNG/pngerror.c
+++ b/plugins/FreeImage/Source/LibPNG/pngerror.c
@@ -1,8 +1,8 @@
 
 /* pngerror.c - stub functions for i/o and memory allocation
  *
- * Last changed in libpng 1.5.4 [July 7, 2011]
- * Copyright (c) 1998-2011 Glenn Randers-Pehrson
+ * Last changed in libpng 1.5.8 [February 1, 2011]
+ * Copyright (c) 1998-2012 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
@@ -281,35 +281,40 @@ void
 png_formatted_warning(png_structp png_ptr, png_warning_parameters p,
    png_const_charp message)
 {
-   /* The internal buffer is just 128 bytes - enough for all our messages,
-    * overflow doesn't happen because this code checks!
+   /* The internal buffer is just 192 bytes - enough for all our messages,
+    * overflow doesn't happen because this code checks!  If someone figures
+    * out how to send us a message longer than 192 bytes, all that will
+    * happen is that the message will be truncated appropriately.
     */
-   size_t i;
-   char msg[128];
-
-   for (i=0; i<(sizeof msg)-1 && *message != '\0'; ++i)
+   size_t i = 0; /* Index in the msg[] buffer: */
+   char msg[192];
+
+   /* Each iteration through the following loop writes at most one character
+    * to msg[i++] then returns here to validate that there is still space for
+    * the trailing '\0'.  It may (in the case of a parameter) read more than
+    * one character from message[]; it must check for '\0' and continue to the
+    * test if it finds the end of string.
+    */
+   while (i<(sizeof msg)-1 && *message != '\0')
    {
-      if (*message == '@')
+      /* '@' at end of string is now just printed (previously it was skipped);
+       * it is an error in the calling code to terminate the string with @.
+       */
+      if (p != NULL && *message == '@' && message[1] != '\0')
       {
-         int parameter = -1;
-         switch (*++message)
-         {
-            case '1':
-               parameter = 0;
-               break;
-
-            case '2':
-               parameter = 1;
-               break;
-
-            case '\0':
-               continue; /* To break out of the for loop above. */
+         int parameter_char = *++message; /* Consume the '@' */
+         static const char valid_parameters[] = "123456789";
+         int parameter = 0;
 
-            default:
-               break;
-         }
+         /* Search for the parameter digit, the index in the string is the
+          * parameter to use.
+          */
+         while (valid_parameters[parameter] != parameter_char &&
+            valid_parameters[parameter] != '\0')
+            ++parameter;
 
-         if (parameter >= 0 && parameter < PNG_WARNING_PARAMETER_COUNT)
+         /* If the parameter digit is out of range it will just get printed. */
+         if (parameter < PNG_WARNING_PARAMETER_COUNT)
          {
             /* Append this parameter */
             png_const_charp parm = p[parameter];
@@ -319,28 +324,32 @@ png_formatted_warning(png_structp png_ptr, png_warning_parameters p,
              * that parm[] has been initialized, so there is no guarantee of a
              * trailing '\0':
              */
-            for (; i<(sizeof msg)-1 && parm != '\0' && parm < pend; ++i)
-               msg[i] = *parm++;
+            while (i<(sizeof msg)-1 && *parm != '\0' && parm < pend)
+               msg[i++] = *parm++;
 
+            /* Consume the parameter digit too: */
             ++message;
             continue;
          }
 
          /* else not a parameter and there is a character after the @ sign; just
-          * copy that.
+          * copy that.  This is known not to be '\0' because of the test above.
           */
       }
 
       /* At this point *message can't be '\0', even in the bad parameter case
        * above where there is a lone '@' at the end of the message string.
        */
-      msg[i] = *message++;
+      msg[i++] = *message++;
    }
 
    /* i is always less than (sizeof msg), so: */
    msg[i] = '\0';
 
-   /* And this is the formatted message: */
+   /* And this is the formatted message, it may be larger than
+    * PNG_MAX_ERROR_TEXT, but that is only used for 'chunk' errors and these are
+    * not (currently) formatted.
+    */
    png_warning(png_ptr, msg);
 }
 #endif /* PNG_WARNINGS_SUPPORTED */
@@ -374,11 +383,14 @@ static void /* PRIVATE */
 png_format_buffer(png_structp png_ptr, png_charp buffer, png_const_charp
     error_message)
 {
-   int iout = 0, iin = 0;
+   png_uint_32 chunk_name = png_ptr->chunk_name;
+   int iout = 0, ishift = 24;
 
-   while (iin < 4)
+   while (ishift >= 0)
    {
-      int c = png_ptr->chunk_name[iin++];
+      int c = (int)(chunk_name >> ishift) & 0xff;
+
+      ishift -= 8;
       if (isnonalpha(c))
       {
          buffer[iout++] = PNG_LITERAL_LEFT_SQUARE_BRACKET;
@@ -389,7 +401,7 @@ png_format_buffer(png_structp png_ptr, png_charp buffer, png_const_charp
 
       else
       {
-         buffer[iout++] = (png_byte)c;
+         buffer[iout++] = (char)c;
       }
    }
 
@@ -398,10 +410,11 @@ png_format_buffer(png_structp png_ptr, png_charp buffer, png_const_charp
 
    else
    {
+      int iin = 0;
+
       buffer[iout++] = ':';
       buffer[iout++] = ' ';
 
-      iin = 0;
       while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] != '\0')
          buffer[iout++] = error_message[iin++];