mewin/libpng
1
0
Fork 0
mirror of https://git.code.sf.net/p/libpng/code.git synced 2025-07-10 18:04:09 +02:00
Code Issues Projects Releases Wiki Activity

[libpng12] Fixed off-by-one bug in png_handle_sCAL() when using fixed point

Browse Source 
arithmetic, causing out-of-bounds read in png_set_sCAL() because of failure
to copy the string terminators (Franke Busse).
This commit is contained in:
Glenn Randers-Pehrson 2012-02-26 20:42:28 -06:00
parent 440e3a9803
commit d0bd02c4ca
3 changed files with 19 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ANNOUNCE
View File

@ -1,5 +1,5 @@
Libpng 1.2.48beta01 - February 22, 2012
Libpng 1.2.48beta01 - February 27, 2012
This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version.
@ -42,13 +42,17 @@ Other information:
Changes since the last public release (1.2.46):
version 1.2.48beta01 [February 22, 2012]
version 1.2.48beta01 [February 27, 2012]
Removed two useless #ifdef directives from pngread.c and one from pngrutil.c
Eliminated redundant png_push_read_tEXt|zTXt|iTXt|unknown code from
pngpread.c and use the sequential png_handle_tEXt, etc., in pngrutil.c;
now that png_ptr->buffer is inaccessible to applications, the special
handling is no longer useful.
Fixed bug with png_handle_hIST with odd chunk length (Frank Busse).
Fixed incorrect type (int copy should be png_size_t copy) in png_inflate().
Fixed off-by-one bug in png_handle_sCAL() when using fixed point arithmetic,
causing out-of-bounds read in png_set_sCAL() because of failure to copy
the string terminators (Franke Busse).
(subscription required; visit
https://lists.sourceforge.net/lists/listinfo/png-mng-implement

8
CHANGES
View File

@ -2741,17 +2741,23 @@ version 1.2.47beta01 [February 17, 2012]
version 1.0.57rc01 and 1.2.47rc01 [February 17, 2012]
Fixed CVE-2011-3026 buffer overrun bug.
Fixed CVE-2011-3026 buffer overrun bug. This bug was introduced when
iCCP chunk support was added at libpng-1.0.6.
version 1.0.57 and 1.2.47 [February 18, 2012]
No changes.
version 1.2.48beta01 [February 22, 2012]
version 1.2.48beta01 [February 27, 2012]
Removed two useless #ifdef directives from pngread.c and one from pngrutil.c
Eliminated redundant png_push_read_tEXt|zTXt|iTXt|unknown code from
pngpread.c and use the sequential png_handle_tEXt, etc., in pngrutil.c;
now that png_ptr->buffer is inaccessible to applications, the special
handling is no longer useful.
Fixed bug with png_handle_hIST with odd chunk length (Frank Busse).
Fixed incorrect type (int copy should be png_size_t copy) in png_inflate().
Fixed off-by-one bug in png_handle_sCAL() when using fixed point arithmetic,
causing out-of-bounds read in png_set_sCAL() because of failure to copy
the string terminators (Franke Busse).
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit

12
pngrutil.c
View File

@ -1,7 +1,7 @@
/* pngrutil.c - utilities to read a PNG file
*
* Last changed in libpng 1.2.48 [February 22, 2012]
* Last changed in libpng 1.2.48 [February 27, 2012]
* Copyright (c) 1998-2012 Glenn Randers-Pehrson
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@ -247,8 +247,8 @@ png_inflate(png_structp png_ptr, const png_byte *data, png_size_t size,
{
if (output != 0 && output_size > count)
{
int copy = output_size - count;
if (avail < copy) copy = avail;
png_size_t copy = output_size - count;
if ((png_size_t) avail < copy) copy = (png_size_t) avail;
png_memcpy(output + count, png_ptr->zbuf, copy);
}
count += avail;
@ -1858,11 +1858,11 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
png_ptr->chunkdata = NULL;
return;
}
png_memcpy(swidth, ep, (png_size_t)png_strlen(ep));
png_memcpy(swidth, ep, (png_size_t)png_strlen(ep) + 1);
#endif
#endif
for (ep = png_ptr->chunkdata; *ep; ep++)
for (ep = png_ptr->chunkdata + 1; *ep; ep++)
/* Empty loop */ ;
ep++;
@ -1902,7 +1902,7 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
#endif
return;
}
png_memcpy(sheight, ep, (png_size_t)png_strlen(ep));
png_memcpy(sheight, ep, (png_size_t)png_strlen(ep) + 1);
#endif
#endif