#192 PNG text headers are clipped

open
nobody
None
5
2010-04-13
2010-04-13
G. Myers
No

The Author, Description, and Title text fields in the PNG header are clipped to 255 bytes, even though the PNG specification allows chunk sizes up to 2^31-1 bytes. The is due to the use of iGetString() where the max length is a magic number hard coded to 255. The solution is to use ilGetString() which allows an unbounded string length.

A patch for this bug is attached.

References:
http://www.libpng.org/pub/png/spec/1.2/PNG-Structure.html#Chunk-layout
http://www.libpng.org/pub/png/spec/1.2/PNG-Rationale.html#R.Chunk-layout
http://www.libpng.org/pub/png/spec/1.2/PNG-Chunks.html#C.Anc-text

Discussion

  • G. Myers
    G. Myers
    2010-04-29

    My original solution to this bug was flawed. I should have known better than to use ilGetString() which is an "internal" function. This resulted in a double free() and led to unpredictable crashes.

    A better solution is to use iGetString() but replace the call to iClipString() with strdup() to ensure that the entire string is used without clipping at an arbitrary length.

    An updated patch file is attached.

     
  • G. Myers
    G. Myers
    2010-04-29

    New patch file based on comment #1

     
    Attachments