minecraft-pi-reborn
/
libpng
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[libpng12] Avoid potential pointer overflow in png_handle_iTXt(), 

png_handle_zTXt(), png_handle_sPLT(), and png_handle_pCAL() (Bug report
by John Regehr).
This commit is contained in:
Glenn Randers-Pehrson 2015-11-13 23:07:39 -06:00
parent ad08e3e522
commit 7e1ca9ceba
3 changed files with 11 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ANNOUNCE
View File

@ -1,5 +1,5 @@
Libpng 1.2.55beta01 - November 13, 2015
Libpng 1.2.55beta01 - November 14, 2015
This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version.
@ -43,7 +43,9 @@ Other information:
Changes since the last public release (1.2.54):
version 1.2.55beta01 [November 13, 2015]
version 1.2.55beta01 [November 14, 2015]
Avoid potential pointer overflow in png_handle_iTXt(), png_handle_zTXt(),
png_handle_sPLT(), and png_handle_pCAL() (Bug report by John Regehr).
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit

2
CHANGES
View File

@ -2895,6 +2895,8 @@ version 1.2.54 [November 12, 2015]
Cleaned up coding style in png_handle_PLTE().
version 1.2.55beta01 [%RDATE%]
Avoid potential pointer overflow in png_handle_iTXt(), png_handle_zTXt(),
png_handle_sPLT(), and png_handle_pCAL() (Bug report by John Regehr).
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit

10
pngrutil.c
View File

@ -1114,7 +1114,7 @@ png_handle_iCCP(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
/* There should be at least one zero (the compression type byte)
* following the separator, and we should be on it
*/
if ( profile >= png_ptr->chunkdata + slength - 1)
if (slength < 1 || profile >= png_ptr->chunkdata + slength - 1)
{
png_free(png_ptr, png_ptr->chunkdata);
png_ptr->chunkdata = NULL;
@ -1242,7 +1242,7 @@ png_handle_sPLT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
++entry_start;
/* A sample depth should follow the separator, and we should be on it */
if (entry_start > (png_bytep)png_ptr->chunkdata + slength - 2)
if (slength < 2 || entry_start > (png_bytep)png_ptr->chunkdata + slength - 2)
{
png_free(png_ptr, png_ptr->chunkdata);
png_ptr->chunkdata = NULL;
@ -1716,7 +1716,7 @@ png_handle_pCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
/* We need to have at least 12 bytes after the purpose string
in order to get the parameter information. */
if (endptr <= buf + 12)
if (slength < 12 || endptr <= buf + 12)
{
png_warning(png_ptr, "Invalid pCAL data");
png_free(png_ptr, png_ptr->chunkdata);
@ -2172,7 +2172,7 @@ png_handle_zTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
/* Empty loop */ ;
/* zTXt must have some text after the chunkdataword */
if (text >= png_ptr->chunkdata + slength - 2)
if (slength < 2 || text >= png_ptr->chunkdata + slength - 2)
{
png_warning(png_ptr, "Truncated zTXt chunk");
png_free(png_ptr, png_ptr->chunkdata);
@ -2298,7 +2298,7 @@ png_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
* keyword
*/
if (lang >= png_ptr->chunkdata + slength - 3)
if (slength < 3 || lang >= png_ptr->chunkdata + slength - 3)
{
png_warning(png_ptr, "Truncated iTXt chunk");
png_free(png_ptr, png_ptr->chunkdata);