mirror of
				https://git.code.sf.net/p/libpng/code.git
				synced 2025-07-10 18:04:09 +02:00 
			
		
		
		
	[devel] Fixed 1-byte uninitialized memory reference in png_format_buffer()
(Bug report by Frank Busse, related to CVE-2004-0421).
This commit is contained in:
		
							parent
							
								
									36edbb5eee
								
							
						
					
					
						commit
						07e1d34a84
					
				
							
								
								
									
										24
									
								
								ANNOUNCE
									
									
									
									
									
								
							
							
						
						
									
										24
									
								
								ANNOUNCE
									
									
									
									
									
								
							| @ -1,5 +1,5 @@ | ||||
| 
 | ||||
| Libpng 1.5.3rc01 - June 3, 2011 | ||||
| Libpng 1.5.3rc02 - June 7, 2011 | ||||
| 
 | ||||
| This is not intended to be a public release.  It will be replaced | ||||
| within a few weeks by a public version or by another test version. | ||||
| @ -9,20 +9,20 @@ Files available for download: | ||||
| Source files with LF line endings (for Unix/Linux) and with a | ||||
| "configure" script | ||||
| 
 | ||||
|    1.5.3rc01.tar.xz (LZMA-compressed, recommended) | ||||
|    1.5.3rc01.tar.gz | ||||
|    1.5.3rc01.tar.bz2 | ||||
|    1.5.3rc02.tar.xz (LZMA-compressed, recommended) | ||||
|    1.5.3rc02.tar.gz | ||||
|    1.5.3rc02.tar.bz2 | ||||
| 
 | ||||
| Source files with CRLF line endings (for Windows), without the | ||||
| "configure" script | ||||
| 
 | ||||
|    lp153r01.7z  (LZMA-compressed, recommended) | ||||
|    lp153r01.zip | ||||
|    lp153r02.7z  (LZMA-compressed, recommended) | ||||
|    lp153r02.zip | ||||
| 
 | ||||
| Other information: | ||||
| 
 | ||||
|    1.5.3rc01-README.txt | ||||
|    1.5.3rc01-LICENSE.txt | ||||
|    1.5.3rc02-README.txt | ||||
|    1.5.3rc02-LICENSE.txt | ||||
| 
 | ||||
| Changes since the last public release (1.5.2): | ||||
| 
 | ||||
| @ -125,7 +125,9 @@ Version 1.5.3beta08 [May 16, 2011] | ||||
|   Added memory overwrite and palette image checks to pngvalid.c | ||||
|     Previously palette image code was poorly checked. Since the transformation | ||||
|     code has a special palette path in most cases this was a severe weakness. | ||||
|   Minor cleanup and some extra checking in pngrutil.c and pngrtran.c | ||||
|   Minor cleanup and some extra checking in pngrutil.c and pngrtran.c. When | ||||
|     expanding an indexed image, always expand to RGBA if transparency is | ||||
|     present. | ||||
| 
 | ||||
| Version 1.5.3beta09 [May 17, 2011] | ||||
|  Reversed earlier 1.5.3 change of transformation order; move png_expand_16 back. | ||||
| @ -148,6 +150,10 @@ Version 1.5.3beta10 [May 20, 2011] | ||||
| Version 1.5.3rc01 [June 3, 2011] | ||||
|   No changes. | ||||
| 
 | ||||
| Version 1.5.3rc02 [June 7, 2011] | ||||
|   Fixed 1-byte uninitialized memory reference in png_format_buffer() (Bug | ||||
|     report by Frank Busse, related to CVE-2004-0421). | ||||
| 
 | ||||
| Send comments/corrections/commendations to png-mng-implement at lists.sf.net: | ||||
| (subscription required; visit | ||||
| https://lists.sourceforge.net/lists/listinfo/png-mng-implement | ||||
|  | ||||
							
								
								
									
										8
									
								
								CHANGES
									
									
									
									
									
								
							
							
						
						
									
										8
									
								
								CHANGES
									
									
									
									
									
								
							| @ -3386,7 +3386,9 @@ Version 1.5.3beta08 [May 16, 2011] | ||||
|   Added memory overwrite and palette image checks to pngvalid.c | ||||
|     Previously palette image code was poorly checked. Since the transformation | ||||
|     code has a special palette path in most cases this was a severe weakness. | ||||
|   Minor cleanup and some extra checking in pngrutil.c and pngrtran.c | ||||
|   Minor cleanup and some extra checking in pngrutil.c and pngrtran.c. When | ||||
|     expanding an indexed image, always expand to RGBA if transparency is | ||||
|     present. | ||||
| 
 | ||||
| Version 1.5.3beta09 [May 17, 2011] | ||||
|   Reversed earlier 1.5.3 change of transformation order; move png_expand_16 | ||||
| @ -3411,6 +3413,10 @@ Version 1.5.3beta10 [May 20, 2011] | ||||
| Version 1.5.3rc01 [June 3, 2011] | ||||
|   No changes. | ||||
| 
 | ||||
| Version 1.5.3rc02 [June 7, 2011] | ||||
|   Fixed 1-byte uninitialized memory reference in png_format_buffer() (Bug | ||||
|     report by Frank Busse, related to CVE-2004-0421). | ||||
| 
 | ||||
| Send comments/corrections/commendations to png-mng-implement at lists.sf.net | ||||
| (subscription required; visit | ||||
| https://lists.sourceforge.net/lists/listinfo/png-mng-implement | ||||
|  | ||||
| @ -400,8 +400,13 @@ png_format_buffer(png_structp png_ptr, png_charp buffer, png_const_charp | ||||
|    { | ||||
|       buffer[iout++] = ':'; | ||||
|       buffer[iout++] = ' '; | ||||
|       png_memcpy(buffer + iout, error_message, PNG_MAX_ERROR_TEXT); | ||||
|       buffer[iout + PNG_MAX_ERROR_TEXT - 1] = '\0'; | ||||
| 
 | ||||
|       iin = 0; | ||||
|       while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] != '\0') | ||||
|          buffer[iout++] = error_message[iin++]; | ||||
| 
 | ||||
|       /* iin < PNG_MAX_ERROR_TEXT, so the following is safe: */ | ||||
|       buffer[iout] = '\0'; | ||||
|    } | ||||
| } | ||||
| #endif /* PNG_WARNINGS_SUPPORTED || PNG_ERROR_TEXT_SUPPORTED */ | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user
	 Glenn Randers-Pehrson
						Glenn Randers-Pehrson