From 520b373ee53e92dce93917fea5a609b2a0291472 Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Wed, 9 Dec 2015 09:33:54 -0600 Subject: [PATCH] [libpng12] Fixed an out-of-range read in png_check_keyword() (Bug report from Qixue Xiao). --- ANNOUNCE | 44 ++++++++++++++++++++------------------------ CHANGES | 8 ++++++-- pngwutil.c | 2 +- 3 files changed, 27 insertions(+), 27 deletions(-) diff --git a/ANNOUNCE b/ANNOUNCE index 23ec9ff4..1ccdb88c 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,51 +1,47 @@ -Libpng 1.2.55 - December 3, 2015 +Libpng 1.2.56beta01 - December 9, 2015 -This is a public release of libpng, intended for use in production codes. +This is not intended to be a public release. It will be replaced +within a few weeks by a public version or by another test version. Files available for download: Source files with LF line endings (for Unix/Linux) and with a "configure" script - libpng-1.2.55.tar.xz (LZMA-compressed, recommended) - libpng-1.2.55.tar.gz + libpng-1.2.56beta01.tar.xz (LZMA-compressed, recommended) + libpng-1.2.56beta01.tar.gz Source files with LF line endings (for Unix/Linux) without the "configure" script - libpng-1.2.55-no-config.tar.xz (LZMA-compressed, recommended) - libpng-1.2.55-no-config.tar.gz + libpng-1.2.56beta01-no-config.tar.xz (LZMA-compressed, recommended) + libpng-1.2.56beta01-no-config.tar.gz Source files with CRLF line endings (for Windows), without the "configure" script - lpng1255.zip - lpng1255.7z + lp1256b01.zip + lp1256b01.7z Project files - libpng-1.2.55-project-netware.zip - libpng-1.2.55-project-wince.zip + libpng-1.2.56beta01-project-netware.zip + libpng-1.2.56beta01-project-wince.zip Other information: - libpng-1.2.55-README.txt - libpng-1.2.55-KNOWNBUGS.txt - libpng-1.2.55-LICENSE.txt - libpng-1.2.55-Y2K-compliance.txt - libpng-1.2.55-[previous version]-diff.txt - libpng-1.2.55-*.asc (armored detached GPG signatures) + libpng-1.2.56beta01-README.txt + libpng-1.2.56beta01-KNOWNBUGS.txt + libpng-1.2.56beta01-LICENSE.txt + libpng-1.2.56beta01-Y2K-compliance.txt + libpng-1.2.56beta01-[previous version]-diff.txt + libpng-1.2.56beta01-*.asc (armored detached GPG signatures) -Changes since the last public release (1.2.54): +Changes since the last public release (1.2.55): - Avoid potential pointer overflow in png_handle_iTXt(), png_handle_zTXt(), - png_handle_sPLT(), and png_handle_pCAL() (Bug report by John Regehr). - Fixed incorrect implementation of png_set_PLTE() that uses png_ptr - not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126 - vulnerability. - Discontinued distributing tar.bz2 archives. - Discontinued distributing libpng-oldversion-newversion-diff.txt + Fixed an out-of-range read in png_check_keyword() (Bug report from + Qixue Xiao). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/CHANGES b/CHANGES index a11aa64b..b2eac991 100644 --- a/CHANGES +++ b/CHANGES @@ -2901,14 +2901,18 @@ version 1.2.55beta01 [November 20, 2015] version 1.2.55beta02 [November 23, 2015] Fixed incorrect implementation of png_set_PLTE() that uses png_ptr not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126 - vulnerability. + vulnerability. Fixes CVE-2015-8472. version 1.2.55rc01 [November 26, 2015] Discontinued distributing tar.bz2 archives. -version 1.2.55 and 1.0.65 [December 3, 2015] +version 1.2.55 and 1.0.65 [December 6, 2015] Discontinued distributing libpng-oldversion-newversion-diff.txt +version 1.2.56beta01 [December 9, 2015] + Fixed an out-of-range read in png_check_keyword() (Bug report from + Qixue Xiao). + Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement diff --git a/pngwutil.c b/pngwutil.c index bc6c9866..182f8db2 100644 --- a/pngwutil.c +++ b/pngwutil.c @@ -1285,7 +1285,7 @@ png_check_keyword(png_structp png_ptr, png_charp key, png_charpp new_key) { png_warning(png_ptr, "trailing spaces removed from keyword"); - while (*kp == ' ') + while (key_len && *kp == ' ') { *(kp--) = '\0'; key_len--;