From: Glenn Randers-P. <gl...@gm...> - 2012-02-27 02:55:38
|
The bugs appear to exist in libpng12 and libpng14. I have pushed a fix to both branches of the libpng GIT repository. I haven't got a good test for this, so please try it out. Glenn On Sat, Feb 25, 2012 at 3:34 PM, Frank Busse <s88...@ma...> wrote: > prerequisites: > #define PNG_FIXED_POINT_SUPPORTED > #define PNG_NO_FLOATING_POINT_SUPPORTED > > > Hi, > > again some defects in png_handle_sCAL. > > 1. off-by-one in memcpy (missing \0): > -- > swidth = (png_charp)png_malloc_warn(png_ptr, png_strlen(ep) + 1); > if (swidth == NULL) > { > ... > } > png_memcpy(swidth, ep, (png_size_t)png_strlen(ep)); > -- > > 2. same error for sheight: > -- > sheight = (png_charp)png_malloc_warn(png_ptr, png_strlen(ep) + 1); > if (sheight == NULL) > { > ... > } > png_memcpy(sheight, ep, (png_size_t)png_strlen(ep)); > > -- > > Both result in an out-of-bounds read in png_set_sCAL_s/strlen. > > 3. missing range check of unit specifier or wrong placement of ep: > -- > ep = png_ptr->chunkdata + 1; /* Skip unit byte */ > > ... > > for (ep = png_ptr->chunkdata; *ep; ep++) > /* Empty loop */ ; > ep++; > -- > > Libpng rereads width if unit specifier is 0. > > > > Kind regards, > > Frank > > - sCAL in attachment contains 0x00 as unit followed by invalid 1111111 > ------------------------------------------------------------------------------ > Virtualization & Cloud Management Using Capacity Planning > Cloud computing makes use of virtualization - but cloud computing > also focuses on allowing computing to be delivered as a service. > http://www.accelacomm.com/jaw/sfnl/114/51521223/ > _______________________________________________ > png-mng-implement mailing list > png...@li... > https://lists.sourceforge.net/lists/listinfo/png-mng-implement > |