mewin/libpng
1
0
Fork 0
mirror of https://git.code.sf.net/p/libpng/code.git synced 2025-07-10 18:04:09 +02:00
Code Issues Projects Releases Wiki Activity

[libpng15] Fixed an out-of-range read in png_check_keyword() (Bug report

Browse Source 
from Qixue Xiao).
This commit is contained in:
Glenn Randers-Pehrson 2015-12-09 09:40:48 -06:00
parent 93e111afc5
commit d9006f683c
3 changed files with 21 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
ANNOUNCE
View File

@ -1,36 +1,34 @@
Libpng 1.5.25 - December 3, 2015 Libpng 1.5.26beta01 - December 9, 2015
This is a public release of libpng, intended for use in production codes. This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version.
Files available for download: Files available for download:
Source files with LF line endings (for Unix/Linux) and with a Source files with LF line endings (for Unix/Linux) and with a
"configure" script "configure" script
libpng-1.5.25.tar.xz (LZMA-compressed, recommended) 1.5.26beta01.tar.xz (LZMA-compressed, recommended)
libpng-1.5.25.tar.gz 1.5.26beta01.tar.gz
Source files with CRLF line endings (for Windows), without the Source files with CRLF line endings (for Windows), without the
"configure" script "configure" script
lpng1525.7z (LZMA-compressed, recommended) lp1526b01.7z (LZMA-compressed, recommended)
lpng1525.zip lp1526b01.zip
Other information: Other information:
libpng-1.5.25-README.txt 1.5.26beta01-README.txt
libpng-1.5.25-LICENSE.txt 1.5.26beta01-LICENSE.txt
libpng-1.5.25-*.asc (armored detached GPG signatures) libpng-1.5.26beta01-*.asc (armored detached GPG signatures)
Changes since the last public release (1.5.24): Changes since the last public release (1.5.25):
Avoid potential pointer overflow in png_handle_iTXt(), png_handle_zTXt(), version 1.5.26 [December 9, 2015]
png_handle_sPLT(), and png_handle_pCAL() (Bug report by John Regehr). Fixed an out-of-range read in png_check_keyword() (Bug report from
Fixed incorrect implementation of png_set_PLTE() that uses png_ptr Qixue Xiao).
not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126
vulnerability.
Backported tests from libpng-1.7.0beta69.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

7
CHANGES
View File

@ -4431,7 +4431,7 @@ version 1.5.25beta01 [November 20, 2015]
version 1.5.25beta02 [November 23, 2015] version 1.5.25beta02 [November 23, 2015]
Fixed incorrect implementation of png_set_PLTE() that uses png_ptr Fixed incorrect implementation of png_set_PLTE() that uses png_ptr
not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126 not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126
vulnerability. vulnerability. Fixes CVE-2015-8472.
version 1.5.25beta03 [November 24, 2015] version 1.5.25beta03 [November 24, 2015]
Backported tests from libpng-1.7.0beta69. Backported tests from libpng-1.7.0beta69.
@ -4440,6 +4440,11 @@ version 1.5.25rc01 [November 26, 2015]
No changes. No changes.
version 1.5.25 [December 3, 2015] version 1.5.25 [December 3, 2015]
No changes.
version 1.5.26beta01 [December 9, 2015]
Fixed an out-of-range read in png_check_keyword() (Bug report from
Qixue Xiao).
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

2
pngwutil.c
View File

@ -1580,7 +1580,7 @@ png_check_keyword(png_structp png_ptr, png_const_charp key, png_charpp new_key)
{ {
png_warning(png_ptr, "trailing spaces removed from keyword"); png_warning(png_ptr, "trailing spaces removed from keyword");
while (*kp == ' ') while (key_len && *kp == ' ')
{ {
*(kp--) = '\0'; *(kp--) = '\0';
key_len--; key_len--;