From 1408c2afeb2cbc32c0221a829064b5b75622613f Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Sun, 16 Jan 2011 14:16:28 -0600 Subject: [PATCH] [devel] Prevent png_push_crc_skip() from hanging while reading an unknown chunk or an over-large compressed zTXt chunk with the progressive reader. --- ANNOUNCE | 2 ++ CHANGES | 2 ++ pngpread.c | 2 +- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ANNOUNCE b/ANNOUNCE index cc15ddd3f..38dd438a7 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -60,6 +60,8 @@ Version 1.5.1beta05 [January 16, 2011] changed exp() back to png_exp(). Version 1.5.1beta06 [January 16, 2011] + Prevent png_push_crc_skip() from hanging while reading an unknown chunk + or an over-large compressed zTXT chunk with the progressive reader. Send comments/corrections/commendations to png-mng-implement at lists.sf.net: (subscription required; visit diff --git a/CHANGES b/CHANGES index 6af131f72..e49f36e9f 100644 --- a/CHANGES +++ b/CHANGES @@ -3176,6 +3176,8 @@ Version 1.5.1beta05 [January 16, 2011] changed exp() back to png_exp(). Version 1.5.1beta06 [January 16, 2011] + Prevent png_push_crc_skip() from hanging while reading an unknown chunk + or an over-large compressed zTXT chunk with the progressive reader. Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/pngpread.c b/pngpread.c index a7452aa65..64ed7b985 100644 --- a/pngpread.c +++ b/pngpread.c @@ -582,7 +582,7 @@ png_push_crc_finish(png_structp png_ptr) { if (png_ptr->skip_length && png_ptr->save_buffer_size) { - png_size_t save_size = png_ptr->current_buffer_size; + png_size_t save_size = png_ptr->save_buffer_size; png_uint_32 skip_length = png_ptr->skip_length; /* We want the smaller of 'skip_length' and 'current_buffer_size', but