Please take a look at this code from png_push_read_zTXt (libpng-1.2.31/pngpread.c:1277-1288)
tmp = text;
text = (png_charp)png_malloc(png_ptr, text_size +
png_memcpy(text, tmp, text_size);
png_memcpy(text + text_size, png_ptr->zbuf,
png_ptr->zbuf_size - png_ptr->zstream.avail_out);
text_size += png_ptr->zbuf_size - png_ptr->zstream.avail_out;
*(text + text_size) = '\0';
Unless I'm seriously misreading this code, the last line writes one byte beyond the end of the allocated memory. It should allocate one more byte. This is causing crashes for me in konqueror, which is how I came across this. Adding one, the crashes go away.
I looked briefly at the other reported bugs, but didn't come across this one, and found the same problem exists in 1.4.0b33. Apologies if I missed something. In case you need any details or testing, you can contact me at email@example.com.
Log in to post a comment.