Version 1.5.4
"pngrutil.c"
If one is using a corrupted png file the application (in this case Qt application) using the libpng libraries crashes, since there isn't valid checking in the pngrutil.c file. The program crashes because there is no checking if the 'w' is zero in png_handle_cHRM. This patch fixes the bug:
--- a/src/3rdparty/libpng/pngrutil.c
+++ b/src/3rdparty/libpng/pngrutil.c
@@ -1037,12 +1037,15 @@ png_handle_cHRM(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
*/
png_uint_32 w = y_red + y_green + y_blue;
- png_ptr->rgb_to_gray_red_coeff = (png_uint_16)(((png_uint_32)y_red *
- 32768)/w);
- png_ptr->rgb_to_gray_green_coeff = (png_uint_16)(((png_uint_32)y_green
- * 32768)/w);
- png_ptr->rgb_to_gray_blue_coeff = (png_uint_16)(((png_uint_32)y_blue *
- 32768)/w);
+ if (w != 0)
+ {
+ png_ptr->rgb_to_gray_red_coeff = (png_uint_16)(((png_uint_32)y_red *
+ 32768)/w);
+ png_ptr->rgb_to_gray_green_coeff = (png_uint_16)(((png_uint_32)y_green
+ * 32768)/w);
+ png_ptr->rgb_to_gray_blue_coeff = (png_uint_16)(((png_uint_32)y_blue *
+ 32768)/w);
+ }
}
}
#endif
Attached is the corrupted png file that can also be used to verify this issue.
Corrupted png file
This bug has been fixed in libpng-1.5.5beta07. Please give it a try.
Fixed in libpng-1.5.5, and reported as CERT VU#477046, CVE-2011-3328.