mewin/libpng
1
0
Fork 0
mirror of https://git.code.sf.net/p/libpng/code.git synced 2025-07-10 18:04:09 +02:00
Code Issues Projects Releases Wiki Activity

[lbpng16] Attempt to fix a UMR in png_set_text_2() to fix OSS-fuzz issue.

Browse Source
This commit is contained in:
Glenn Randers-Pehrson 2017-08-05 20:51:23 -05:00
parent c5c778bcfc
commit 39d84f4f6a
3 changed files with 24 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ANNOUNCE
View File

@ -87,6 +87,8 @@ Version 1.6.32beta11 [August 6, 2017]
Removed unused chunk_name parameter from png_check_chunk_length(). Removed unused chunk_name parameter from png_check_chunk_length().
Relocated setting free_me for eXIf data, to stop an OSS-fuzz leak. Relocated setting free_me for eXIf data, to stop an OSS-fuzz leak.
Initialize profile_header[] in png_handle_iCCP() to fix OSS-fuzz issue. Initialize profile_header[] in png_handle_iCCP() to fix OSS-fuzz issue.
Initialize png_ptr->row_buf[0] to 255 in png_read_row() to fix OSS-fuzz UMR.
Attempt to fix a UMR in png_set_text_2() to fix OSS-fuzz issue.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

2
CHANGES
View File

@ -5970,6 +5970,8 @@ Version 1.6.32beta11 [August 6, 2017]
Removed unused chunk_name parameter from png_check_chunk_length(). Removed unused chunk_name parameter from png_check_chunk_length().
Relocated setting free_me for eXIf data, to stop an OSS-fuzz leak. Relocated setting free_me for eXIf data, to stop an OSS-fuzz leak.
Initialize profile_header[] in png_handle_iCCP() to fix OSS-fuzz issue. Initialize profile_header[] in png_handle_iCCP() to fix OSS-fuzz issue.
Initialize png_ptr->row_buf[0] to 255 in png_read_row() to fix OSS-fuzz UMR.
Attempt to fix a UMR in png_set_text_2() to fix OSS-fuzz issue.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

11
pngrutil.c
View File

@ -2636,9 +2636,13 @@ png_handle_zTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
{ {
png_text text; png_text text;
/* It worked; png_ptr->read_buffer now looks like a tEXt chunk except if (png_ptr->read_buffer == NULL)
* for the extra compression type byte and the fact that it isn't errmsg="Read failure in png_handle_zTXt";
* necessarily '\0' terminated. else
{
/* It worked; png_ptr->read_buffer now looks like a tEXt chunk
* except for the extra compression type byte and the fact that
* it isn't necessarily '\0' terminated.
*/ */
buffer = png_ptr->read_buffer; buffer = png_ptr->read_buffer;
buffer[uncompressed_length+(keyword_length+2)] = 0; buffer[uncompressed_length+(keyword_length+2)] = 0;
@ -2654,6 +2658,7 @@ png_handle_zTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
if (png_set_text_2(png_ptr, info_ptr, &text, 1) != 0) if (png_set_text_2(png_ptr, info_ptr, &text, 1) != 0)
errmsg = "insufficient memory"; errmsg = "insufficient memory";
} }
}
else else
errmsg = png_ptr->zstream.msg; errmsg = png_ptr->zstream.msg;