[libpng12] Avoid out-of-bounds memory access while checking version string in

pngread.c and pngwrite.c

4 files changed, 34 insertions, 15 deletions

diff --git a/ANNOUNCE b/ANNOUNCE
index df6d0c054..64b309bd9 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,5 +1,5 @@
 
-Libpng 1.2.52beta01 - February 6, 2014
+Libpng 1.2.52beta01 - November 6, 2014
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -43,7 +43,9 @@ Other information:
 
 Changes since the last public release (1.2.51):
 
-version 1.2.52beta01 [February 6, 2014]
+version 1.2.52beta01 [November 6, 2014]
+  Avoid out-of-bounds memory access while checking version string in
+    pngread.c and pngwrite.c
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/CHANGES b/CHANGES
index 8c8d06147..955545121 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2814,7 +2814,9 @@ version 1.2.51rc04 [February 3, 2014]
 version 1.0.61 and 1.2.51 [February 6, 2014]
   Added an #ifdef PNG_FIXED_POINT_SUPPORTED/#endif in pngset.c
 
-version 1.2.52beta01 [February 6, 2014]
+version 1.2.52beta01 [November 6, 2014]
+  Avoid out-of-bounds memory access while checking version string in
+    pngread.c and pngwrite.c
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/pngread.c b/pngread.c
index 2197ff178..9ade1b318 100644
--- a/pngread.c
+++ b/pngread.c
@@ -100,16 +100,22 @@ png_create_read_struct_2(png_const_charp user_png_ver, png_voidp error_ptr,
 
    png_set_error_fn(png_ptr, error_ptr, error_fn, warn_fn);
 
-   if (user_png_ver)
+   if (user_png_ver != NULL)
    {
-      i = 0;
+      int found_dots = 0;
+      i = -1;
+
       do
       {
-         if (user_png_ver[i] != png_libpng_ver[i])
+         i++;
+         if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i])
             png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
-      } while (png_libpng_ver[i++]);
-    }
-    else
+         if (user_png_ver[i] == '.')
+            found_dots++;
+      } while (found_dots < 2 && user_png_ver[i] != 0 &&
+            PNG_LIBPNG_VER_STRING[i] != 0);
+   }
+   else
          png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
 
 
diff --git a/pngwrite.c b/pngwrite.c
index 1d94404db..c5cd9ec8f 100644
--- a/pngwrite.c
+++ b/pngwrite.c
@@ -525,15 +525,23 @@ png_create_write_struct_2(png_const_charp user_png_ver, png_voidp error_ptr,
 #endif /* PNG_USER_MEM_SUPPORTED */
    png_set_error_fn(png_ptr, error_ptr, error_fn, warn_fn);
 
-   if (user_png_ver)
+   if (user_png_ver != NULL)
    {
-      i = 0;
+      int found_dots = 0;
+      i = -1;
+
       do
       {
-         if (user_png_ver[i] != png_libpng_ver[i])
+         i++;
+         if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i])
             png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
-      } while (png_libpng_ver[i++]);
+         if (user_png_ver[i] == '.')
+            found_dots++;
+      } while (found_dots < 2 && user_png_ver[i] != 0 &&
+            PNG_LIBPNG_VER_STRING[i] != 0);
    }
+   else
+      png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
 
    if (png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH)
    {
@@ -684,8 +692,9 @@ png_write_init_3(png_structpp ptr_ptr, png_const_charp user_png_ver,
          png_warning(png_ptr,
  "Application uses deprecated png_write_init() and should be recompiled.");
 #endif
-      }
-   } while (png_libpng_ver[i++]);
+   }
+      i++;
+   } while (png_libpng_ver[i] != 0 && user_png_ver[i] != 0);
 
    png_debug(1, "in png_write_init_3");