From: Frank B. <s88...@ma...> - 2011-11-20 22:31:02
|
Hi, I find the following text in png.h a little bit misleading: -- png_text holds the contents of a text/ztxt/itxt chunk in a PNG file, and whether that contents is compressed or not. The "key" field points to a regular zero-terminated C string. The "text", "lang", and "lang_key" fields can be regular C strings, empty strings, or NULL pointers. However, the structure returned by png_get_text() will always contain regular zero-terminated C strings (possibly empty), never NULL pointers, so they can be safely used in printf() and other string-handling functions. -- Only key and text are non-NULL, not lang and lang_key. Another oddity is the compression field: -- int compression; /* compression value: -1: tEXt, none 0: zTXt, deflate 1: iTXt, none 2: iTXt, deflate */ -- In 1.2 there is no range check, in 1.4 (and 1.5) there is a check in png_set_text_2(): -- if (text_ptr[i].compression < PNG_TEXT_COMPRESSION_NONE || text_ptr[i].compression >= PNG_TEXT_COMPRESSION_LAST) -- but this check is inconsequent. For instance png_handle_iTXt() reads the compression flag, ignores the real value if it's non-zero, decompresses the text and sets the successor as compression: -- comp_flag = *lang++; ... if (comp_flag) png_decompress_chunk(png_ptr, comp_type, (size_t)length, prefix_len, &data_len); ... text_ptr->compression = (int)comp_flag + 1; -- and then the check in pngset.c prevents that lang and lang_key were set. Even worse, if one sets the compression flag in a file to 0xFE or 0xFF the API (compression) signals a tEXt resp. compr. zTXt chunk with itxt_length = 0 and text_length set. No way to tell the difference between the latin-1 and utf-8 chunks without extra code... I know there is no string validation in libpng, but the handling of erroneous chunks should be consistent. Kind regards, Frank |