mirror of
				https://git.code.sf.net/p/libpng/code.git
				synced 2025-07-10 18:04:09 +02:00 
			
		
		
		
	[libpng12] Avoid out-of-bounds memory access while checking version string in
pngread.c and pngwrite.c
This commit is contained in:
		
							parent
							
								
									ee6be87332
								
							
						
					
					
						commit
						afd39b47f7
					
				
							
								
								
									
										6
									
								
								ANNOUNCE
									
									
									
									
									
								
							
							
						
						
									
										6
									
								
								ANNOUNCE
									
									
									
									
									
								
							| @ -1,5 +1,5 @@ | |||||||
| 
 | 
 | ||||||
| Libpng 1.2.52beta01 - February 6, 2014 | Libpng 1.2.52beta01 - November 6, 2014 | ||||||
| 
 | 
 | ||||||
| This is not intended to be a public release.  It will be replaced | This is not intended to be a public release.  It will be replaced | ||||||
| within a few weeks by a public version or by another test version. | within a few weeks by a public version or by another test version. | ||||||
| @ -43,7 +43,9 @@ Other information: | |||||||
| 
 | 
 | ||||||
| Changes since the last public release (1.2.51): | Changes since the last public release (1.2.51): | ||||||
| 
 | 
 | ||||||
| version 1.2.52beta01 [February 6, 2014] | version 1.2.52beta01 [November 6, 2014] | ||||||
|  |   Avoid out-of-bounds memory access while checking version string in | ||||||
|  |     pngread.c and pngwrite.c | ||||||
| 
 | 
 | ||||||
| Send comments/corrections/commendations to png-mng-implement at lists.sf.net | Send comments/corrections/commendations to png-mng-implement at lists.sf.net | ||||||
| (subscription required; visit | (subscription required; visit | ||||||
|  | |||||||
							
								
								
									
										4
									
								
								CHANGES
									
									
									
									
									
								
							
							
						
						
									
										4
									
								
								CHANGES
									
									
									
									
									
								
							| @ -2814,7 +2814,9 @@ version 1.2.51rc04 [February 3, 2014] | |||||||
| version 1.0.61 and 1.2.51 [February 6, 2014] | version 1.0.61 and 1.2.51 [February 6, 2014] | ||||||
|   Added an #ifdef PNG_FIXED_POINT_SUPPORTED/#endif in pngset.c |   Added an #ifdef PNG_FIXED_POINT_SUPPORTED/#endif in pngset.c | ||||||
| 
 | 
 | ||||||
| version 1.2.52beta01 [February 6, 2014] | version 1.2.52beta01 [November 6, 2014] | ||||||
|  |   Avoid out-of-bounds memory access while checking version string in | ||||||
|  |     pngread.c and pngwrite.c | ||||||
| 
 | 
 | ||||||
| Send comments/corrections/commendations to png-mng-implement at lists.sf.net | Send comments/corrections/commendations to png-mng-implement at lists.sf.net | ||||||
| (subscription required; visit | (subscription required; visit | ||||||
|  | |||||||
							
								
								
									
										18
									
								
								pngread.c
									
									
									
									
									
								
							
							
						
						
									
										18
									
								
								pngread.c
									
									
									
									
									
								
							| @ -100,16 +100,22 @@ png_create_read_struct_2(png_const_charp user_png_ver, png_voidp error_ptr, | |||||||
| 
 | 
 | ||||||
|    png_set_error_fn(png_ptr, error_ptr, error_fn, warn_fn); |    png_set_error_fn(png_ptr, error_ptr, error_fn, warn_fn); | ||||||
| 
 | 
 | ||||||
|    if (user_png_ver) |    if (user_png_ver != NULL) | ||||||
|    { |    { | ||||||
|       i = 0; |       int found_dots = 0; | ||||||
|  |       i = -1; | ||||||
|  | 
 | ||||||
|       do |       do | ||||||
|       { |       { | ||||||
|          if (user_png_ver[i] != png_libpng_ver[i]) |          i++; | ||||||
|  |          if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i]) | ||||||
|             png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH; |             png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH; | ||||||
|       } while (png_libpng_ver[i++]); |          if (user_png_ver[i] == '.') | ||||||
|     } |             found_dots++; | ||||||
|     else |       } while (found_dots < 2 && user_png_ver[i] != 0 && | ||||||
|  |             PNG_LIBPNG_VER_STRING[i] != 0); | ||||||
|  |    } | ||||||
|  |    else | ||||||
|          png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH; |          png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH; | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
|  | |||||||
							
								
								
									
										21
									
								
								pngwrite.c
									
									
									
									
									
								
							
							
						
						
									
										21
									
								
								pngwrite.c
									
									
									
									
									
								
							| @ -525,15 +525,23 @@ png_create_write_struct_2(png_const_charp user_png_ver, png_voidp error_ptr, | |||||||
| #endif /* PNG_USER_MEM_SUPPORTED */ | #endif /* PNG_USER_MEM_SUPPORTED */ | ||||||
|    png_set_error_fn(png_ptr, error_ptr, error_fn, warn_fn); |    png_set_error_fn(png_ptr, error_ptr, error_fn, warn_fn); | ||||||
| 
 | 
 | ||||||
|    if (user_png_ver) |    if (user_png_ver != NULL) | ||||||
|    { |    { | ||||||
|       i = 0; |       int found_dots = 0; | ||||||
|  |       i = -1; | ||||||
|  | 
 | ||||||
|       do |       do | ||||||
|       { |       { | ||||||
|          if (user_png_ver[i] != png_libpng_ver[i]) |          i++; | ||||||
|  |          if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i]) | ||||||
|             png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH; |             png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH; | ||||||
|       } while (png_libpng_ver[i++]); |          if (user_png_ver[i] == '.') | ||||||
|  |             found_dots++; | ||||||
|  |       } while (found_dots < 2 && user_png_ver[i] != 0 && | ||||||
|  |             PNG_LIBPNG_VER_STRING[i] != 0); | ||||||
|    } |    } | ||||||
|  |    else | ||||||
|  |       png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH; | ||||||
| 
 | 
 | ||||||
|    if (png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH) |    if (png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH) | ||||||
|    { |    { | ||||||
| @ -684,8 +692,9 @@ png_write_init_3(png_structpp ptr_ptr, png_const_charp user_png_ver, | |||||||
|          png_warning(png_ptr, |          png_warning(png_ptr, | ||||||
|  "Application uses deprecated png_write_init() and should be recompiled."); |  "Application uses deprecated png_write_init() and should be recompiled."); | ||||||
| #endif | #endif | ||||||
|       } |    } | ||||||
|    } while (png_libpng_ver[i++]); |       i++; | ||||||
|  |    } while (png_libpng_ver[i] != 0 && user_png_ver[i] != 0); | ||||||
| 
 | 
 | ||||||
|    png_debug(1, "in png_write_init_3"); |    png_debug(1, "in png_write_init_3"); | ||||||
| 
 | 
 | ||||||
|  | |||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user
	 Glenn Randers-Pehrson
						Glenn Randers-Pehrson