#244 read underflow in libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 (pngwutil.c)

libpng_code
closed-fixed
None
5
2016-01-18
2015-12-09
xqx12
No

there is a underflow read in png_check_keyword in pngwutil.c in libpng-1.2.54.
if the data of "key" is only ' ' (0x20), it will read a byte before the buffer in line 1288,
the code as follows:

1283 kp = new_key + key_len - 1;
1284 if (
kp == ' ')
1285 {
1286 png_warning(png_ptr, "trailing spaces removed from keyword");
1287
1288 while (kp == ' ')
1289 {
1290
(kp--) = '\0';
1291 key_len--;
1292 }
1293 }

Discussion

  • Glenn Randers-Pehrson

    Thanks. libpng-1.0.65, 1.4.18, and 1.5.25 also have the same code. png_check_keyword in libpng-1.6.20 and libpng-1.7.0beta is different.

     
  • Glenn Randers-Pehrson

    • assigned_to: Glenn Randers-Pehrson
     
  • Glenn Randers-Pehrson

    • summary: read underflow in libpng 1.2.54 --> read underflow in libpng 1.2.54, 1.0.65, 1.4.18, and 1.5.25 (pngwutil.c)
     
  • Glenn Randers-Pehrson

    Changing line 1288 to

    while (key_len && *kp == ' ')
    

    looks like a fix for the bug.

     
    Last edit: Glenn Randers-Pehrson 2015-12-09
  • Glenn Randers-Pehrson

    Please try libpng-1.2.56beta01 from the libpng GIt repositories, libpng12 branch.
    I've also fixed libpng-1.4.19beta01 in the libpng14 branch and 1.5.26beta01 in the libpng15 branch.

     
  • Glenn Randers-Pehrson

    • summary: read underflow in libpng 1.2.54, 1.0.65, 1.4.18, and 1.5.25 (pngwutil.c) --> read underflow in libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 (pngwutil.c)
     
  • Glenn Randers-Pehrson

    • status: open --> closed-fixed
     
  • Glenn Randers-Pehrson

    Fixed in libpng-1.2.56, 1.0.66, 1.4.19, and 1.5.26. Thanks.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks