diff options
author | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2011-06-07 14:35:30 -0500 |
---|---|---|
committer | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2011-06-07 14:35:30 -0500 |
commit | 07e1d34a8498ebcdaf33a438b6f476f84f7f2b53 (patch) | |
tree | ddc5b5ef12ac44848366a1b4dd1edc6843e2aa4c /pngerror.c | |
parent | 36edbb5eee1091a13f1058ee1ec7d518028a583a (diff) | |
download | libpng-07e1d34a8498ebcdaf33a438b6f476f84f7f2b53.tar.gz |
[devel] Fixed 1-byte uninitialized memory reference in png_format_buffer()
(Bug report by Frank Busse, related to CVE-2004-0421).
Diffstat (limited to 'pngerror.c')
-rw-r--r-- | pngerror.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/pngerror.c b/pngerror.c index 4881dfe82..419f83a7f 100644 --- a/pngerror.c +++ b/pngerror.c @@ -400,8 +400,13 @@ png_format_buffer(png_structp png_ptr, png_charp buffer, png_const_charp { buffer[iout++] = ':'; buffer[iout++] = ' '; - png_memcpy(buffer + iout, error_message, PNG_MAX_ERROR_TEXT); - buffer[iout + PNG_MAX_ERROR_TEXT - 1] = '\0'; + + iin = 0; + while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] != '\0') + buffer[iout++] = error_message[iin++]; + + /* iin < PNG_MAX_ERROR_TEXT, so the following is safe: */ + buffer[iout] = '\0'; } } #endif /* PNG_WARNINGS_SUPPORTED || PNG_ERROR_TEXT_SUPPORTED */ |