[libpng14] Avoid out-of-bounds memory access in png_user_version_check().

Simplified and future-proofed png_user_version_check().

ANNOUNCE

@@ -1,5 +1,5 @@
 
-Libpng 1.4.14beta01 - February 6, 2014
+Libpng 1.4.14beta01 - November 6, 2014
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -27,8 +27,9 @@ Other information:
 
 Changes since the last public release (1.4.13):
 
-version 1.4.14beta01 [February 6, 2014]
+version 1.4.14beta01 [November 6, 2014]
-  No changes.
+  Avoid out-of-bounds memory access in png_user_version_check().
+  Simplified and future-proofed png_user_version_check().
 
 Send comments/corrections/commendations to glennrp at users.sourceforge.net
 or to png-mng-implement at lists.sf.net (subscription required; visit

CHANGES

@@ -2909,7 +2909,9 @@ version 1.4.13rc02 [January 30, 2014]
 version 1.4.13 [February 6, 2014]
   No changes.
 
-version 1.4.14beta01 [February 6, 2014]
+version 1.4.14beta01 [November 6, 2014]
+  Avoid out-of-bounds memory access in png_user_version_check().
+  Simplified and future-proofed png_user_version_check().
 
 Send comments/corrections/commendations to glennrp at users.sourceforge.net
 or to png-mng-implement at lists.sf.net (subscription required; visit

pngread.c

@@ -1,7 +1,7 @@
 
 /* pngread.c - read a PNG file
  *
- * Last changed in libpng 1.4.13 [%RDATE%]
+ * Last changed in libpng 1.4.13 [February 6, 2014]
  * Copyright (c) 1998-2014 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -53,8 +53,6 @@ png_create_read_struct_2(png_const_charp user_png_ver, png_voidp error_ptr,
 #endif
 #endif
 
-   int i;
-
    png_debug(1, "in png_create_read_struct");
 
 #ifdef PNG_USER_MEM_SUPPORTED
@@ -99,14 +97,20 @@ png_create_read_struct_2(png_const_charp user_png_ver, png_voidp error_ptr,
 
    png_set_error_fn(png_ptr, error_ptr, error_fn, warn_fn);
 
-   if (user_png_ver)
+    if (user_png_ver != NULL)
-   {
+    {
-      i = 0;
+       int i = -1;
-      do
+       int found_dots = 0;
-      {
+
-         if (user_png_ver[i] != png_libpng_ver[i])
+       do
-            png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
+       {
-      } while (png_libpng_ver[i++]);
+          i++;
+          if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i])
+             png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
+          if (user_png_ver[i] == '.')
+             found_dots++;
+       } while (found_dots < 2 && user_png_ver[i] != 0 &&
+             PNG_LIBPNG_VER_STRING[i] != 0);
     }
     else
          png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;

pngwrite.c

@@ -480,7 +480,6 @@ png_create_write_struct_2(png_const_charp user_png_ver, png_voidp error_ptr,
    jmp_buf jmpbuf;
 #endif
 #endif
-   int i;
 
    png_debug(1, "in png_create_write_struct");
 
@@ -519,14 +518,20 @@ png_create_write_struct_2(png_const_charp user_png_ver, png_voidp error_ptr,
 #endif /* PNG_USER_MEM_SUPPORTED */
    png_set_error_fn(png_ptr, error_ptr, error_fn, warn_fn);
 
-   if (user_png_ver)
+   if (user_png_ver != NULL)
    {
-      i = 0;
+      int i = -1;
+      int found_dots = 0;
+
       do
       {
-         if (user_png_ver[i] != png_libpng_ver[i])
+         i++;
+         if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i])
             png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
-      } while (png_libpng_ver[i++]);
+         if (user_png_ver[i] == '.')
+            found_dots++;
+      } while (found_dots < 2 && user_png_ver[i] != 0 &&
+            PNG_LIBPNG_VER_STRING[i] != 0);
    }
 
    if (png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH)