libmng 1.0.9 seems to write past the end of an
allocated memory block under certain circumstances.
This can cause an immediate crash or can cause a
memory corruption that has unpredictable effects
This works properly in libmng 1.0.8 - the problem was
apparently introduced in 1.0.9.
A sample image that turns up the problem is
MNGPAST8a.mng from the MNG test suite
The code location where the errant write occurs is in
mng_magnify_rgba8_x2(), at line 15539. As far as I
can tell, the problem isn't actually in this
function; it looks like the root problem must be in
mng_magnify_imageobject(), which actually allocates
the memory block that's being overrun and coordinates
the row-by-row writing into the block.
I haven't quite figured out where the miscalculation
is occurring - I can't tell if it's an error
calculating the amount to allocate or an error in the
pointer arithmetic traversing the rows. There's no
obvious difference between the working 1.0.8 and
broken 1.0.9 versions of these routines, so it's
probably some other routine that's the real problem.