[libpng12] Fixed an out-of-range read in png_check_keyword() (Bug report from

Qixue Xiao).
2015-12-09 09:33:54 -06:00 · 2015-12-09 09:33:54 -06:00 · 520b373ee5
commit 520b373ee5
parent 623e09d8c5
3 changed files with 27 additions and 27 deletions
--- a/44
+++ b/44
@ -1,51 +1,47 @@
-Libpng 1.2.55 - December 3, 2015
+Libpng 1.2.56beta01 - December 9, 2015
-This is a public release of libpng, intended for use in production codes.
+This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
 Files available for download:
 Source files with LF line endings (for Unix/Linux) and with a
 "configure" script
-   libpng-1.2.55.tar.xz (LZMA-compressed, recommended)
+   libpng-1.2.56beta01.tar.xz (LZMA-compressed, recommended)
-   libpng-1.2.55.tar.gz
+   libpng-1.2.56beta01.tar.gz
 Source files with LF line endings (for Unix/Linux) without the
 "configure" script
-   libpng-1.2.55-no-config.tar.xz (LZMA-compressed, recommended)
+   libpng-1.2.56beta01-no-config.tar.xz (LZMA-compressed, recommended)
-   libpng-1.2.55-no-config.tar.gz
+   libpng-1.2.56beta01-no-config.tar.gz
 Source files with CRLF line endings (for Windows), without the
 "configure" script
-   lpng1255.zip
+   lp1256b01.zip
-   lpng1255.7z
+   lp1256b01.7z
 Project files
-   libpng-1.2.55-project-netware.zip
+   libpng-1.2.56beta01-project-netware.zip
-   libpng-1.2.55-project-wince.zip
+   libpng-1.2.56beta01-project-wince.zip
 Other information:
-   libpng-1.2.55-README.txt
+   libpng-1.2.56beta01-README.txt
-   libpng-1.2.55-KNOWNBUGS.txt
+   libpng-1.2.56beta01-KNOWNBUGS.txt
-   libpng-1.2.55-LICENSE.txt
+   libpng-1.2.56beta01-LICENSE.txt
-   libpng-1.2.55-Y2K-compliance.txt
+   libpng-1.2.56beta01-Y2K-compliance.txt
-   libpng-1.2.55-[previous version]-diff.txt
+   libpng-1.2.56beta01-[previous version]-diff.txt
-   libpng-1.2.55-*.asc (armored detached GPG signatures)
+   libpng-1.2.56beta01-*.asc (armored detached GPG signatures)
-Changes since the last public release (1.2.54):
+Changes since the last public release (1.2.55):
-  Avoid potential pointer overflow in png_handle_iTXt(), png_handle_zTXt(),
+  Fixed an out-of-range read in png_check_keyword() (Bug report from
-    png_handle_sPLT(), and png_handle_pCAL() (Bug report by John Regehr).
+    Qixue Xiao).
  Fixed incorrect implementation of png_set_PLTE() that uses png_ptr
    not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126
    vulnerability.
  Discontinued distributing tar.bz2 archives.
  Discontinued distributing libpng-oldversion-newversion-diff.txt
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
--- a/8
+++ b/8
@ -2901,14 +2901,18 @@ version 1.2.55beta01 [November 20, 2015]
 version 1.2.55beta02 [November 23, 2015]
  Fixed incorrect implementation of png_set_PLTE() that uses png_ptr
    not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126
-    vulnerability.
+    vulnerability.  Fixes CVE-2015-8472.
 version 1.2.55rc01 [November 26, 2015]
  Discontinued distributing tar.bz2 archives.
-version 1.2.55 and 1.0.65 [December 3, 2015]
+version 1.2.55 and 1.0.65 [December 6, 2015]
  Discontinued distributing libpng-oldversion-newversion-diff.txt
 version 1.2.56beta01 [December 9, 2015]
  Fixed an out-of-range read in png_check_keyword() (Bug report from
    Qixue Xiao).
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement
--- a/pngwutil.c
+++ b/pngwutil.c
@ -1285,7 +1285,7 @@ png_check_keyword(png_structp png_ptr, png_charp key, png_charpp new_key)
   {
      png_warning(png_ptr, "trailing spaces removed from keyword");
-      while (*kp == ' ')
+      while (key_len && *kp == ' ')
      {
         *(kp--) = '\0';
         key_len--;