mewin/libpng
1
0
Fork 0
mirror of https://git.code.sf.net/p/libpng/code.git synced 2025-07-10 18:04:09 +02:00
Code Issues Projects Releases Wiki Activity

[libpng15] Avoid out-of-bounds memory access in png_user_version_check().

Browse Source 
Simplified and future-proofed png_user_version_check().
This commit is contained in:
Glenn Randers-Pehrson 2014-11-06 07:58:21 -06:00
parent f2f5e89566
commit df8dd1183c
3 changed files with 39 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ANNOUNCE
View File

@ -1,5 +1,5 @@
Libpng 1.5.20beta01 - August 21, 2014 Libpng 1.5.20beta01 - November 6, 2014
This is not intended to be a public release. It will be replaced This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version. within a few weeks by a public version or by another test version.
@ -27,7 +27,11 @@ Other information:
Changes since the last public release (1.5.19): Changes since the last public release (1.5.19):
Version 1.5.20 [August 21, 2014] Version 1.5.20beta01 [November 6, 2014]
Removed "option WRITE_COMPRESSED_TEXT enables WRITE_TEXT" from pnglibconf.dfa
Only mark text chunks as written after successfully writing them.
Avoid out-of-bounds memory access in png_user_version_check().
Simplified and future-proofed png_user_version_check().
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

6
CHANGES
View File

@ -4246,6 +4246,12 @@ Version 1.5.19rc01 [August 14, 2014]
Version 1.5.19 [August 21, 2014] Version 1.5.19 [August 21, 2014]
Added PNG_UNUSED(png_ptr) and PNG_UNUSED(val) in png_longjmp() (Cosmin). Added PNG_UNUSED(png_ptr) and PNG_UNUSED(val) in png_longjmp() (Cosmin).
Version 1.5.20beta01 [November 6, 2014]
Removed "option WRITE_COMPRESSED_TEXT enables WRITE_TEXT" from pnglibconf.dfa
Only mark text chunks as written after successfully writing them.
Avoid out-of-bounds memory access in png_user_version_check().
Simplified and future-proofed png_user_version_check().
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit
https://lists.sourceforge.net/lists/listinfo/png-mng-implement https://lists.sourceforge.net/lists/listinfo/png-mng-implement

52
png.c
View File

@ -174,49 +174,51 @@ png_calculate_crc(png_structp png_ptr, png_const_bytep ptr, png_size_t length)
int int
png_user_version_check(png_structp png_ptr, png_const_charp user_png_ver) png_user_version_check(png_structp png_ptr, png_const_charp user_png_ver)
{ {
/* Libpng versions 1.0.0 and later are binary compatible if the version
* string matches through the second '.'; we must recompile any
* applications that use any older library version.
*/
if (user_png_ver != NULL) if (user_png_ver != NULL)
{ {
int i = 0; int i = -1;
int found_dots = 0;
do do
{ {
if (user_png_ver[i] != png_libpng_ver[i]) i++;
if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i])
png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH; png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
} while (png_libpng_ver[i++]); if (user_png_ver[i] == '.')
found_dots++;
} while (found_dots < 2 && user_png_ver[i] != 0 &&
PNG_LIBPNG_VER_STRING[i] != 0);
} }
else else
png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH; png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
if (png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH) if ((png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH) != 0)
{ {
/* Libpng 0.90 and later are binary incompatible with libpng 0.89, so
* we must recompile any applications that use any older library version.
* For versions after libpng 1.0, we will be compatible, so we need
* only check the first digit.
*/
if (user_png_ver == NULL || user_png_ver[0] != png_libpng_ver[0] ||
(user_png_ver[0] == '1' && user_png_ver[2] != png_libpng_ver[2]) ||
(user_png_ver[0] == '0' && user_png_ver[2] < '9'))
{
#ifdef PNG_WARNINGS_SUPPORTED #ifdef PNG_WARNINGS_SUPPORTED
size_t pos = 0; size_t pos = 0;
char m[128]; char m[128];
pos = png_safecat(m, sizeof m, pos, "Application built with libpng-"); pos = png_safecat(m, (sizeof m), pos,
pos = png_safecat(m, sizeof m, pos, user_png_ver); "Application built with libpng-");
pos = png_safecat(m, sizeof m, pos, " but running with "); pos = png_safecat(m, (sizeof m), pos, user_png_ver);
pos = png_safecat(m, sizeof m, pos, png_libpng_ver); pos = png_safecat(m, (sizeof m), pos, " but running with ");
pos = png_safecat(m, (sizeof m), pos, PNG_LIBPNG_VER_STRING);
PNG_UNUSED(pos)
png_warning(png_ptr, m); png_warning(png_ptr, m);
#endif #endif
#ifdef PNG_ERROR_NUMBERS_SUPPORTED #ifdef PNG_ERROR_NUMBERS_SUPPORTED
png_ptr->flags = 0; png_ptr->flags = 0;
#endif #endif
return 0; return 0;
}
} }
/* Success return. */ /* Success return. */
@ -658,13 +660,13 @@ png_get_copyright(png_const_structp png_ptr)
#else #else
# ifdef __STDC__ # ifdef __STDC__
return PNG_STRING_NEWLINE \ return PNG_STRING_NEWLINE \
"libpng version 1.5.20beta01 - August 21, 2014" PNG_STRING_NEWLINE \ "libpng version 1.5.20beta01 - November 6, 2014" PNG_STRING_NEWLINE \
"Copyright (c) 1998-2014 Glenn Randers-Pehrson" PNG_STRING_NEWLINE \ "Copyright (c) 1998-2014 Glenn Randers-Pehrson" PNG_STRING_NEWLINE \
"Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \ "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
"Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \ "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
PNG_STRING_NEWLINE; PNG_STRING_NEWLINE;
# else # else
return "libpng version 1.5.20beta01 - August 21, 2014\ return "libpng version 1.5.20beta01 - November 6, 2014\
Copyright (c) 1998-2014 Glenn Randers-Pehrson\ Copyright (c) 1998-2014 Glenn Randers-Pehrson\
Copyright (c) 1996-1997 Andreas Dilger\ Copyright (c) 1996-1997 Andreas Dilger\
Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc."; Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.";