there is a underflow read in png_check_keyword in pngwutil.c in libpng-1.2.54.
if the data of "key" is only ' ' (0x20), it will read a byte before the buffer in line 1288,
the code as follows:
1283 kp = new_key + key_len - 1;
1284 if (kp == ' ')
1285 {
1286 png_warning(png_ptr, "trailing spaces removed from keyword");
1287
1288 while (kp == ' ')
1289 {
1290 (kp--) = '\0';
1291 key_len--;
1292 }
1293 }
Thanks. libpng-1.0.65, 1.4.18, and 1.5.25 also have the same code. png_check_keyword in libpng-1.6.20 and libpng-1.7.0beta is different.
Changing line 1288 to
looks like a fix for the bug.
Last edit: Glenn Randers-Pehrson 2015-12-09
Please try libpng-1.2.56beta01 from the libpng GIt repositories, libpng12 branch.
I've also fixed libpng-1.4.19beta01 in the libpng14 branch and 1.5.26beta01 in the libpng15 branch.
Fixed in libpng-1.2.56, 1.0.66, 1.4.19, and 1.5.26. Thanks.