diff options
author | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2014-11-06 08:26:18 -0600 |
---|---|---|
committer | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2014-11-06 08:26:18 -0600 |
commit | afd39b47f7c326d090f4235f83086ffc9fd8dab9 (patch) | |
tree | ec3afde5e5ef5ba8e6c8b084a3911c2e8dbf04fa /pngwrite.c | |
parent | ee6be8733241b2f68dcb614701d70fb085cbd0d5 (diff) | |
download | libpng-afd39b47f7c326d090f4235f83086ffc9fd8dab9.tar.gz |
[libpng12] Avoid out-of-bounds memory access while checking version string in
pngread.c and pngwrite.c
Diffstat (limited to 'pngwrite.c')
-rw-r--r-- | pngwrite.c | 21 |
1 files changed, 15 insertions, 6 deletions
diff --git a/pngwrite.c b/pngwrite.c index 1d94404db..c5cd9ec8f 100644 --- a/pngwrite.c +++ b/pngwrite.c @@ -525,15 +525,23 @@ png_create_write_struct_2(png_const_charp user_png_ver, png_voidp error_ptr, #endif /* PNG_USER_MEM_SUPPORTED */ png_set_error_fn(png_ptr, error_ptr, error_fn, warn_fn); - if (user_png_ver) + if (user_png_ver != NULL) { - i = 0; + int found_dots = 0; + i = -1; + do { - if (user_png_ver[i] != png_libpng_ver[i]) + i++; + if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i]) png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH; - } while (png_libpng_ver[i++]); + if (user_png_ver[i] == '.') + found_dots++; + } while (found_dots < 2 && user_png_ver[i] != 0 && + PNG_LIBPNG_VER_STRING[i] != 0); } + else + png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH; if (png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH) { @@ -684,8 +692,9 @@ png_write_init_3(png_structpp ptr_ptr, png_const_charp user_png_ver, png_warning(png_ptr, "Application uses deprecated png_write_init() and should be recompiled."); #endif - } - } while (png_libpng_ver[i++]); + } + i++; + } while (png_libpng_ver[i] != 0 && user_png_ver[i] != 0); png_debug(1, "in png_write_init_3"); |