[libpng14] Fixed an out-of-range read in png_check_keyword() (Bug report from

Qixue Xiao).

3 files changed, 20 insertions, 19 deletions

diff --git a/ANNOUNCE b/ANNOUNCE
index f99086494..274c38bc8 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,37 +1,34 @@
 
-Libpng 1.4.18 - December 3, 2015
+Libpng 1.4.19beta01 - December 9, 2015
 
-This is a public release of libpng, intended for use in production codes.
+This is not intended to be a public release.  It will be replaced
+within a few weeks by a public version or by another test version.
 
 Files available for download:
 
 Source files with LF line endings (for Unix/Linux) and with a
 "configure" script
 
-   libpng-1.4.18.tar.xz (LZMA-compressed, recommended)
-   libpng-1.4.18.tar.gz
+   1.4.19beta01.tar.xz (LZMA-compressed, recommended)
+   1.4.19beta01.tar.gz
 
 Source files with CRLF line endings (for Windows), without the
 "configure" script
 
-   lpng1418.7z (LZMA-compressed, recommended)
-   lpng1418.zip
+   lp1419b01.7z (LZMA-compressed, recommended)
+   lp1419b01.zip
 
 Other information:
 
-   libpng-1.4.18-README.txt
-   libpng-1.4.18-LICENSE.txt
-   libpng-1.4.18-*.asc (armored detached GPG signatures)
+   1.4.19beta01-README.txt
+   1.4.19beta01-LICENSE.txt
+   libpng-1.4.19beta01-*.asc (armored detached GPG signatures)
 
-Changes since the last public release (1.4.17):
+Changes since the last public release (1.4.18):
 
-  Avoid potential pointer overflow in png_handle_iTXt(), png_handle_zTXt(),
-    png_handle_sPLT(), and png_handle_pCAL() (Bug report by John Regehr).
-  Fixed incorrect implementation of png_set_PLTE() that uses png_ptr
-    not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126
-    vulnerability.
-  Discontinued distributing tar.bz2 archives.
-  Discontinued distributing libpng-oldversion-newversion-diff.txt
+version 1.4.19 [December 9, 2015]
+  Fixed an out-of-range read in png_check_keyword() (Bug report from
+    Qixue Xiao).
 
 Send comments/corrections/commendations to glennrp at users.sourceforge.net
 or to png-mng-implement at lists.sf.net (subscription required; visit
diff --git a/CHANGES b/CHANGES
index 0d3f1955b..ebd1424c1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3014,7 +3014,7 @@ version 1.4.18beta01 [November 20, 2015]
 version 1.4.18beta02 [November 23, 2015]
   Fixed incorrect implementation of png_set_PLTE() that uses png_ptr
     not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126
-    vulnerability.
+    vulnerability.  Fixes CVE-2015-8472.
 
 version 1.4.18rc01 [November 26, 2015]
   Discontinued distributing tar.bz2 archives.
@@ -3022,6 +3022,10 @@ version 1.4.18rc01 [November 26, 2015]
 version 1.4.18 [December 3, 2015]
   Discontinued distributing libpng-oldversion-newversion-diff.txt
 
+version 1.4.19beta01 [December 9, 2015]
+  Fixed an out-of-range read in png_check_keyword() (Bug report from
+    Qixue Xiao).
+
 Send comments/corrections/commendations to glennrp at users.sourceforge.net
 or to png-mng-implement at lists.sf.net (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement).
diff --git a/pngwutil.c b/pngwutil.c
index 141edd585..8404000b2 100644
--- a/pngwutil.c
+++ b/pngwutil.c
@@ -1303,7 +1303,7 @@ png_check_keyword(png_structp png_ptr, png_charp key, png_charpp new_key)
    {
       png_warning(png_ptr, "trailing spaces removed from keyword");
 
-      while (*kp == ' ')
+      while (key_len && *kp == ' ')
       {
          *(kp--) = '\0';
          key_len--;