mewin/libpng
1
0
Fork 0
mirror of https://git.code.sf.net/p/libpng/code.git synced 2025-07-10 18:04:09 +02:00
Code Issues Projects Releases Wiki Activity

[libpng16] Corrected previous attempt at overflow detection in

Browse Source 
png_set_unknown_chunks().
This commit is contained in:
John Bowler 2013-01-17 13:24:05 -06:00 committed by Glenn Randers-Pehrson
parent ba35f1e4c1
commit 9dd2bfafe5
3 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ANNOUNCE
View File

@ -1,5 +1,5 @@
Libpng 1.6.0beta38 - January 10, 2013 Libpng 1.6.0beta38 - January 17, 2013
This is not intended to be a public release. It will be replaced This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version. within a few weeks by a public version or by another test version.
@ -587,7 +587,8 @@ Version 1.6.0beta37 [January 10, 2013]
Fixed conceivable but difficult to repro overflow. Also added two test Fixed conceivable but difficult to repro overflow. Also added two test
programs to generate and test a PNG which should have the problem. programs to generate and test a PNG which should have the problem.
Version 1.6.0beta38 [January 10, 2013] Version 1.6.0beta38 [January 17, 2013]
Corrected previous attempt at overflow detection in png_set_unknown_chunks().
=========================================================================== ===========================================================================
NOTICE November 17, 2012: NOTICE November 17, 2012:

3
CHANGES
View File

@ -4340,7 +4340,8 @@ Version 1.6.0beta37 [January 10, 2013]
Fixed conceivable but difficult to repro overflow. Also added two test Fixed conceivable but difficult to repro overflow. Also added two test
programs to generate and test a PNG which should have the problem. programs to generate and test a PNG which should have the problem.
Version 1.6.0beta38 [January 10, 2013] Version 1.6.0beta38 [January 17, 2013]
Corrected previous attempt at overflow detection in png_set_unknown_chunks().
=========================================================================== ===========================================================================
NOTICE November 17, 2012: NOTICE November 17, 2012:

4
pngset.c
View File

@ -1130,7 +1130,7 @@ png_set_unknown_chunks(png_const_structrp png_ptr,
* limit. * limit.
*/ */
if (num_unknowns > PNG_UINT_32_MAX - info_ptr->unknown_chunks_num || if (num_unknowns > PNG_UINT_32_MAX - info_ptr->unknown_chunks_num ||
num_unknowns > PNG_SIZE_MAX/(sizeof *np) - info_ptr->unknown_chunks_num) num_unknowns + info_ptr->unknown_chunks_num > PNG_SIZE_MAX/(sizeof *np))
{ {
/* This is a benign read error (user limits are disabled and we are about /* This is a benign read error (user limits are disabled and we are about
* to overflow 2^32 chunks) and an application write error. * to overflow 2^32 chunks) and an application write error.
@ -1141,7 +1141,7 @@ png_set_unknown_chunks(png_const_structrp png_ptr,
} }
np = png_voidcast(png_unknown_chunkp, png_malloc(png_ptr, np = png_voidcast(png_unknown_chunkp, png_malloc(png_ptr,
(info_ptr->unknown_chunks_num + (unsigned int)num_unknowns) * (info_ptr->unknown_chunks_num + num_unknowns) *
(sizeof (png_unknown_chunk)))); (sizeof (png_unknown_chunk))));
memcpy(np, info_ptr->unknown_chunks, memcpy(np, info_ptr->unknown_chunks,