Palette index checking fixes

The palette index checking function is called by default but only if
some *other* transformation is happening.  This makes the 'get palette
max' public API disfunctional (sometimes it works, sometimes it returns
0) and causes the supposed default behaviour of checking the palette
index only to work sometimes.  It works in pngtest, it doesn't work in
pngcp.

The check in pngread also has an off-by-one error; the number recorded
is the highest index found so it should be checked to ensure that it is
less than the palette length but it was checked for being greater.

The pull request includes a set of 8 files which all have the full range
of possible indices including one (the highest) which is invalid because
the PLTE chunk is one short of the maximum for each bit depth.

Signed-off-by: John Bowler <jbowler@acm.org>

9 files changed, 2 insertions, 2 deletions

diff --git a/contrib/testpngs/badpal/small-palette-1.png b/contrib/testpngs/badpal/small-palette-1.png
new file mode 100644
index 000000000..7e9dbfd09
--- /dev/null
+++ b/contrib/testpngs/badpal/small-palette-1.png
diff --git a/contrib/testpngs/badpal/small-palette-2.png b/contrib/testpngs/badpal/small-palette-2.png
new file mode 100644
index 000000000..6629164d7
--- /dev/null
+++ b/contrib/testpngs/badpal/small-palette-2.png
diff --git a/contrib/testpngs/badpal/small-palette-4.png b/contrib/testpngs/badpal/small-palette-4.png
new file mode 100644
index 000000000..7401dc70b
--- /dev/null
+++ b/contrib/testpngs/badpal/small-palette-4.png
diff --git a/contrib/testpngs/badpal/small-palette-8.png b/contrib/testpngs/badpal/small-palette-8.png
new file mode 100644
index 000000000..a45338713
--- /dev/null
+++ b/contrib/testpngs/badpal/small-palette-8.png
diff --git a/contrib/testpngs/badpal/test-palette-1.png b/contrib/testpngs/badpal/test-palette-1.png
new file mode 100644
index 000000000..614fd97bb
--- /dev/null
+++ b/contrib/testpngs/badpal/test-palette-1.png
diff --git a/contrib/testpngs/badpal/test-palette-2.png b/contrib/testpngs/badpal/test-palette-2.png
new file mode 100644
index 000000000..a7e996464
--- /dev/null
+++ b/contrib/testpngs/badpal/test-palette-2.png
diff --git a/contrib/testpngs/badpal/test-palette-4.png b/contrib/testpngs/badpal/test-palette-4.png
new file mode 100644
index 000000000..39853bfce
--- /dev/null
+++ b/contrib/testpngs/badpal/test-palette-4.png
diff --git a/contrib/testpngs/badpal/test-palette-8.png b/contrib/testpngs/badpal/test-palette-8.png
new file mode 100644
index 000000000..20f0b5268
--- /dev/null
+++ b/contrib/testpngs/badpal/test-palette-8.png
diff --git a/pngread.c b/pngread.c
index 96996ced5..dc62df098 100644
--- a/pngread.c
+++ b/pngread.c
@@ -568,7 +568,7 @@ png_read_row(png_structrp png_ptr, png_bytep row, png_bytep dsp_row)
 #endif
 
 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
-   if (png_ptr->transformations)
+   if (png_ptr->transformations || png_ptr->num_palette_max >= 0)
       png_do_read_transformations(png_ptr, &row_info);
 #endif
 
@@ -785,7 +785,7 @@ png_read_end(png_structrp png_ptr, png_inforp info_ptr)
 #ifdef PNG_READ_CHECK_FOR_INVALID_INDEX_SUPPORTED
    /* Report invalid palette index; added at libng-1.5.10 */
    if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
-       png_ptr->num_palette_max > png_ptr->num_palette)
+       png_ptr->num_palette_max >= png_ptr->num_palette)
       png_benign_error(png_ptr, "Read palette index exceeding num_palette");
 #endif