summaryrefslogtreecommitdiff
path: root/pngwrite.c
diff options
context:
space:
mode:
authorGlenn Randers-Pehrson <glennrp at users.sourceforge.net>2014-11-06 08:26:18 -0600
committerGlenn Randers-Pehrson <glennrp at users.sourceforge.net>2014-11-06 08:26:18 -0600
commitafd39b47f7c326d090f4235f83086ffc9fd8dab9 (patch)
treeec3afde5e5ef5ba8e6c8b084a3911c2e8dbf04fa /pngwrite.c
parentee6be8733241b2f68dcb614701d70fb085cbd0d5 (diff)
downloadlibpng-afd39b47f7c326d090f4235f83086ffc9fd8dab9.tar.gz
[libpng12] Avoid out-of-bounds memory access while checking version string in
pngread.c and pngwrite.c
Diffstat (limited to 'pngwrite.c')
-rw-r--r--pngwrite.c21
1 files changed, 15 insertions, 6 deletions
diff --git a/pngwrite.c b/pngwrite.c
index 1d94404db..c5cd9ec8f 100644
--- a/pngwrite.c
+++ b/pngwrite.c
@@ -525,15 +525,23 @@ png_create_write_struct_2(png_const_charp user_png_ver, png_voidp error_ptr,
#endif /* PNG_USER_MEM_SUPPORTED */
png_set_error_fn(png_ptr, error_ptr, error_fn, warn_fn);
- if (user_png_ver)
+ if (user_png_ver != NULL)
{
- i = 0;
+ int found_dots = 0;
+ i = -1;
+
do
{
- if (user_png_ver[i] != png_libpng_ver[i])
+ i++;
+ if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i])
png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
- } while (png_libpng_ver[i++]);
+ if (user_png_ver[i] == '.')
+ found_dots++;
+ } while (found_dots < 2 && user_png_ver[i] != 0 &&
+ PNG_LIBPNG_VER_STRING[i] != 0);
}
+ else
+ png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
if (png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH)
{
@@ -684,8 +692,9 @@ png_write_init_3(png_structpp ptr_ptr, png_const_charp user_png_ver,
png_warning(png_ptr,
"Application uses deprecated png_write_init() and should be recompiled.");
#endif
- }
- } while (png_libpng_ver[i++]);
+ }
+ i++;
+ } while (png_libpng_ver[i] != 0 && user_png_ver[i] != 0);
png_debug(1, "in png_write_init_3");
View Lorry Controller Status