mewin/libpng
1
0
Fork 0
mirror of https://git.code.sf.net/p/libpng/code.git synced 2025-07-10 18:04:09 +02:00
Code Issues Projects Releases Wiki Activity

[lbpng17] Avoid potential pointer overflow in png_handle_sPLT() and

Browse Source 
png_handle_pCAL() (Bug report by John Regehr).
This commit is contained in:
Glenn Randers-Pehrson 2015-11-13 22:25:03 -06:00
parent 722645fec5
commit c09b3ab2c7
3 changed files with 13 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ANNOUNCE
View File

@ -1,5 +1,5 @@
Libpng 1.7.0beta69 - November 13, 2015
Libpng 1.7.0beta69 - November 14, 2015
This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version.
@ -960,11 +960,15 @@ Version 1.7.0beta67 [November 3, 2015]
Removed much of the long list of previous versions from png.h and
libpng.3.
Version 1.7.0beta68 [November 13, 2015]
Version 1.7.0beta68 [November 12, 2015]
Fixed new bug with CRC error after reading an over-length palette
(bug report by Cosmin Truta).
Cleaned up coding style in png_handle_PLTE().
Version 1.7.0beta69 [November 14, 2015]
Avoid potential pointer overflow in png_handle_sPLT() and
png_handle_pCAL() (Bug report by John Regehr).
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
https://lists.sourceforge.net/lists/listinfo/png-mng-implement

6
CHANGES
View File

@ -5259,10 +5259,14 @@ Version 1.7.0beta67 [November 3, 2015]
Removed much of the long list of previous versions from png.h and
libpng.3.
Version 1.7.0beta68 [November 13, 2015]
Version 1.7.0beta68 [November 12, 2015]
Fixed new bug with CRC error after reading an over-length palette
(bug report by Cosmin Truta) (CVE-2015-8126).
Cleaned up coding style in png_handle_PLTE().
Version 1.7.0beta69 [November 14, 2015]
Avoid potential pointer overflow in png_handle_sPLT() and
png_handle_pCAL() (Bug report by John Regehr).
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit

4
pngrutil.c
View File

@ -1530,7 +1530,7 @@ png_handle_sPLT(png_structrp png_ptr, png_inforp info_ptr)
++entry_start;
/* A sample depth should follow the separator, and we should be on it */
if (entry_start > buffer + length - 2)
if (length < 2 || entry_start > buffer + length - 2)
{
png_chunk_benign_error(png_ptr, "malformed");
return;
@ -1948,7 +1948,7 @@ png_handle_pCAL(png_structrp png_ptr, png_inforp info_ptr)
/* We need to have at least 12 bytes after the purpose string
* in order to get the parameter information.
*/
if (endptr <= buf + 12)
if (png_ptr->chunk_length < 12 || endptr <= buf + 12)
{
png_chunk_benign_error(png_ptr, "invalid");
return;