From: Glenn Randers-P. <gl...@gm...> - 2011-06-09 15:50:01
|
Thanks. I guess those infamous patches for libpng-1.0.5e and 1.0.5f (1999) are going to be haunting us with security problems forever. The bug exists in all versions since then (libpng10, 12, 14, and 15). Thankfully, it does not affect the embedded libpng in mozilla products, and I believe it also doesn't affect mozilla products that use a system libpng. It doesn't affect ImageMagick, GraphicsMagick, or pngcrush. All of these use the png_set_keep_unknown_chunk mechanism to avoid decoding the sCAL chunk and other chunks that they don't need. On Thu, Jun 9, 2011 at 11:00 AM, Frank Busse < s88...@ma...> wrote: > Hi, > > when the 1.2 series reads an empty sCAL chunk (12 bytes), length is 0 > and one byte is allocated and set to 0 in chunkdata. Afterwards ep is > positioned behind chunkdata and then used in png_strtod resp. > png_strlen. > > -- > void /* PRIVATE */ > png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 > length) { > png_charp ep; > ... > png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1); > ... > slength = (png_size_t)length; > ... > png_ptr->chunkdata[slength] = 0x00; /* Null terminate the last > string */ > > ep = png_ptr->chunkdata + 1; /* Skip unit byte */ > ... > width = png_strtod(png_ptr, ep, &vp); > ... > swidth = (png_charp)png_malloc_warn(png_ptr, png_strlen(ep) + 1); > -- > > > > Kind regards, > > Frank > > Attachment: scal_zero2.png (based on brokensuite) > > > > > ------------------------------------------------------------------------------ > EditLive Enterprise is the world's most technically advanced content > authoring tool. Experience the power of Track Changes, Inline Image > Editing and ensure content is compliant with Accessibility Checking. > http://p.sf.net/sfu/ephox-dev2dev > _______________________________________________ > png-mng-implement mailing list > png...@li... > https://lists.sourceforge.net/lists/listinfo/png-mng-implement > > |