Hello, Roy,
Thank you very much for your report. I confirm the problem that you reported, and I will provide a fix.
I am deleting the attached file for the time being, and I will put it back after the fix is released.
Best regards,
Cosmin
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The crash is in GIFReadNextExtension. There is a realloc() call that might return new memory, and a ptr variable that caches the old value of the memory and continutes to write to it. The fix is to do something like:
Hello, Roy,
Thank you very much for your report. I confirm the problem that you reported, and I will provide a fix.
I am deleting the attached file for the time being, and I will put it back after the fix is released.
Best regards,
Cosmin
The crash is in GIFReadNextExtension. There is a realloc() call that might return new memory, and a ptr variable that caches the old value of the memory and continutes to write to it. The fix is to do something like:
222c222
< size_t offset;
---
> unsigned char *ptr;
236c236
< offset = 0;
---
> ptr = ext->Buffer;
246c246
< count = ReadDataBlock(ext->Buffer + offset, stream);
---
> count = ReadDataBlock(ptr, stream);
249c249
< offset += count;
---
> ptr += count;
oops, the diffs are reversed; swap < for >, and > for <.
Roy,
I issued a suite of security patches, available from the OptiPNG home page.
The fix will be incorporated in the next release.
Both your report and your fix are highly appreciated.
Thank you very much!
The previously-removed file is put back
Closing this defect, at last.
Many thanks to Roy for reporting, and to Bryan McQuade for the fix.