Hi,
libpng-1.0.41/pngwutil.c contains this bug:
> png_size_t /* PRIVATE */
> png_check_keyword(png_structp png_ptr, png_charp key, png_charpp
new_key)
> {
>...
> *new_key = (png_charp)png_malloc_warn(png_ptr,
(png_uint_32)(key_len + 2));
>...
> if (key_len > 79)
> {
> png_warning(png_ptr, "keyword length must be 1 - 79
characters");
> new_key[79] = '\0';
^^^^^^^^^^^^^^^^^^^
> key_len = 79;
> }
new_key is not a string, it's a pointer to a string. So this indexes
off into random memory and writes a NULL pointer over it. Although '\0'
was obviously intended as a NUL character, compilers seem happy to
convert it into a NULL pointer without even warning. PC-Lint correctly
warned about this.
This should probably be:
(*new_key)[79] = '\0';
I haven't tested this, it was just picked up by Lint.
Kind regards,
Jon Foster
--
**********************************************************************
This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Cabot Communications Ltd.
If you are not the intended recipient of this email and its attachments, you must take no action based upon them, nor must you copy or show them to anyone.
Cabot Communications Limited
Verona House, Filwood Road, Bristol BS16 3RY, UK
+44 (0) 1179584232
Co. Registered in England number 02817269
Please contact the sender if you believe you have received this email in error.
**********************************************************************
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
|