diff options
| -rw-r--r-- | ANNOUNCE | 24 | ||||
| -rw-r--r-- | CHANGES | 8 | ||||
| -rw-r--r-- | pngerror.c | 9 |
3 files changed, 29 insertions, 12 deletions
@@ -1,5 +1,5 @@ -Libpng 1.5.3rc01 - June 3, 2011 +Libpng 1.5.3rc02 - June 7, 2011 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -9,20 +9,20 @@ Files available for download: Source files with LF line endings (for Unix/Linux) and with a "configure" script - 1.5.3rc01.tar.xz (LZMA-compressed, recommended) - 1.5.3rc01.tar.gz - 1.5.3rc01.tar.bz2 + 1.5.3rc02.tar.xz (LZMA-compressed, recommended) + 1.5.3rc02.tar.gz + 1.5.3rc02.tar.bz2 Source files with CRLF line endings (for Windows), without the "configure" script - lp153r01.7z (LZMA-compressed, recommended) - lp153r01.zip + lp153r02.7z (LZMA-compressed, recommended) + lp153r02.zip Other information: - 1.5.3rc01-README.txt - 1.5.3rc01-LICENSE.txt + 1.5.3rc02-README.txt + 1.5.3rc02-LICENSE.txt Changes since the last public release (1.5.2): @@ -125,7 +125,9 @@ Version 1.5.3beta08 [May 16, 2011] Added memory overwrite and palette image checks to pngvalid.c Previously palette image code was poorly checked. Since the transformation code has a special palette path in most cases this was a severe weakness. - Minor cleanup and some extra checking in pngrutil.c and pngrtran.c + Minor cleanup and some extra checking in pngrutil.c and pngrtran.c. When + expanding an indexed image, always expand to RGBA if transparency is + present. Version 1.5.3beta09 [May 17, 2011] Reversed earlier 1.5.3 change of transformation order; move png_expand_16 back. @@ -148,6 +150,10 @@ Version 1.5.3beta10 [May 20, 2011] Version 1.5.3rc01 [June 3, 2011] No changes. +Version 1.5.3rc02 [June 7, 2011] + Fixed 1-byte uninitialized memory reference in png_format_buffer() (Bug + report by Frank Busse, related to CVE-2004-0421). + Send comments/corrections/commendations to png-mng-implement at lists.sf.net: (subscription required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement @@ -3386,7 +3386,9 @@ Version 1.5.3beta08 [May 16, 2011] Added memory overwrite and palette image checks to pngvalid.c Previously palette image code was poorly checked. Since the transformation code has a special palette path in most cases this was a severe weakness. - Minor cleanup and some extra checking in pngrutil.c and pngrtran.c + Minor cleanup and some extra checking in pngrutil.c and pngrtran.c. When + expanding an indexed image, always expand to RGBA if transparency is + present. Version 1.5.3beta09 [May 17, 2011] Reversed earlier 1.5.3 change of transformation order; move png_expand_16 @@ -3411,6 +3413,10 @@ Version 1.5.3beta10 [May 20, 2011] Version 1.5.3rc01 [June 3, 2011] No changes. +Version 1.5.3rc02 [June 7, 2011] + Fixed 1-byte uninitialized memory reference in png_format_buffer() (Bug + report by Frank Busse, related to CVE-2004-0421). + Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement diff --git a/pngerror.c b/pngerror.c index 4881dfe82..419f83a7f 100644 --- a/pngerror.c +++ b/pngerror.c @@ -400,8 +400,13 @@ png_format_buffer(png_structp png_ptr, png_charp buffer, png_const_charp { buffer[iout++] = ':'; buffer[iout++] = ' '; - png_memcpy(buffer + iout, error_message, PNG_MAX_ERROR_TEXT); - buffer[iout + PNG_MAX_ERROR_TEXT - 1] = '\0'; + + iin = 0; + while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] != '\0') + buffer[iout++] = error_message[iin++]; + + /* iin < PNG_MAX_ERROR_TEXT, so the following is safe: */ + buffer[iout] = '\0'; } } #endif /* PNG_WARNINGS_SUPPORTED || PNG_ERROR_TEXT_SUPPORTED */ |