diff options
author | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2015-11-13 23:02:35 -0600 |
---|---|---|
committer | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2015-11-13 23:02:35 -0600 |
commit | 5b948c3e11ddc0260d92b32dc018ee5722535b24 (patch) | |
tree | fd8837c602f600f08268767a1443d4842ca0ff53 | |
parent | e9fa8b436450b6099a94da36038380aeb68bd50f (diff) | |
download | libpng-5b948c3e11ddc0260d92b32dc018ee5722535b24.tar.gz |
[lbpng14] Avoid potential pointer overflow in png_handle_iTXt(),
png_handle_zTXt(), png_handle_sPLT(), and png_handle_pCAL() (Bug report
by John Regehr).
-rw-r--r-- | ANNOUNCE | 4 | ||||
-rw-r--r-- | CHANGES | 4 | ||||
-rw-r--r-- | pngrutil.c | 10 |
3 files changed, 11 insertions, 7 deletions
@@ -1,5 +1,5 @@ -Libpng 1.4.18beta01 - November 13, 2015 +Libpng 1.4.18beta01 - November 14, 2015 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -28,6 +28,8 @@ Other information: Changes since the last public release (1.4.17): version 1.4.18beta01 [%RDATE%] + Avoid potential pointer overflow in png_handle_iTXt(), png_handle_zTXt(), + png_handle_sPLT(), and png_handle_pCAL() (Bug report by John Regehr). Send comments/corrections/commendations to glennrp at users.sourceforge.net or to png-mng-implement at lists.sf.net (subscription required; visit @@ -3007,7 +3007,9 @@ version 1.4.17rc04 [November 5, 2015] version 1.4.17 [November 12, 2015] Cleaned up coding style in png_handle_PLTE(). -version 1.4.18beta01 [November 13, 2015] +version 1.4.18beta01 [November 14, 2015] + Avoid potential pointer overflow in png_handle_iTXt(), png_handle_zTXt(), + png_handle_sPLT(), and png_handle_pCAL() (Bug report by John Regehr). Send comments/corrections/commendations to glennrp at users.sourceforge.net or to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/pngrutil.c b/pngrutil.c index c3860f379..f0253c8ee 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -1159,7 +1159,7 @@ png_handle_iCCP(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) /* There should be at least one zero (the compression type byte) * following the separator, and we should be on it */ - if ( profile >= png_ptr->chunkdata + slength - 1) + if (slength < 1 || profile >= png_ptr->chunkdata + slength - 1) { png_free(png_ptr, png_ptr->chunkdata); png_ptr->chunkdata = NULL; @@ -1297,7 +1297,7 @@ png_handle_sPLT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) ++entry_start; /* A sample depth should follow the separator, and we should be on it */ - if (entry_start > (png_bytep)png_ptr->chunkdata + slength - 2) + if (slength < 2 || entry_start > (png_bytep)png_ptr->chunkdata + slength - 2) { png_free(png_ptr, png_ptr->chunkdata); png_ptr->chunkdata = NULL; @@ -1771,7 +1771,7 @@ png_handle_pCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) /* We need to have at least 12 bytes after the purpose string in order to get the parameter information. */ - if (endptr <= buf + 12) + if (slength < 12 || endptr <= buf + 12) { png_warning(png_ptr, "Invalid pCAL data"); png_free(png_ptr, png_ptr->chunkdata); @@ -2222,7 +2222,7 @@ png_handle_zTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) /* Empty loop */ ; /* zTXt must have some text after the chunkdataword */ - if (text >= png_ptr->chunkdata + slength - 2) + if (slength < 2 || text >= png_ptr->chunkdata + slength - 2) { png_warning(png_ptr, "Truncated zTXt chunk"); png_free(png_ptr, png_ptr->chunkdata); @@ -2348,7 +2348,7 @@ png_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) * keyword */ - if (lang >= png_ptr->chunkdata + slength - 3) + if (slength < 3 || lang >= png_ptr->chunkdata + slength - 3) { png_warning(png_ptr, "Truncated iTXt chunk"); png_free(png_ptr, png_ptr->chunkdata); |