[legacy] Fixed 1-byte uninitialized memory reference in png_format_buffer()

(Bug report by Frank Busse, related to CVE-2004-0421).

Pass "" instead of '\0' to png_default_error() in png_err().  This mistake
was introduced in libpng-1.2.20beta01.

ANNOUNCE

@@ -1,54 +1,114 @@
 
-Libpng 1.2.44 - June 26, 2010
+Libpng 1.2.45beta01 - June 7, 2011
 
-This is a public release of libpng, intended for use in production codes.
+This is not intended to be a public release.  It will be replaced
+within a few weeks by a public version or by another test version.
 
 Files available for download:
 
 Source files with LF line endings (for Unix/Linux) and with a
 "configure" script
 
-   libpng-1.2.44.tar.xz (LZMA-compressed, recommended)
-   libpng-1.2.44.tar.gz
-   libpng-1.2.44.tar.bz2
+   libpng-1.2.45beta01.tar.xz (LZMA-compressed, recommended)
+   libpng-1.2.45beta01.tar.gz
+   libpng-1.2.45beta01.tar.bz2
 
 Source files with LF line endings (for Unix/Linux) without the
 "configure" script
 
-   libpng-1.2.44-no-config.tar.xz (LZMA-compressed, recommended)
-   libpng-1.2.44-no-config.tar.gz
-   libpng-1.2.44-no-config.tar.bz2
+   libpng-1.2.45beta01-no-config.tar.xz (LZMA-compressed, recommended)
+   libpng-1.2.45beta01-no-config.tar.gz
+   libpng-1.2.45beta01-no-config.tar.bz2
 
 Source files with CRLF line endings (for Windows), without the
 "configure" script
 
-   lpng1244.zip
-   lpng1244.7z
-   lpng1244.tar.bz2
+   lp1245b01.zip
+   lp1245b01.7z
+   lp1245b01.tar.bz2
 
 Project files
 
-   libpng-1.2.44-project-netware.zip
-   libpng-1.2.44-project-wince.zip
+   libpng-1.2.45beta01-project-netware.zip
+   libpng-1.2.45beta01-project-wince.zip
 
 Other information:
 
-   libpng-1.2.44-README.txt
-   libpng-1.2.44-KNOWNBUGS.txt
-   libpng-1.2.44-LICENSE.txt
-   libpng-1.2.44-Y2K-compliance.txt
-   libpng-1.2.44-[previous version]-diff.txt
+   libpng-1.2.45beta01-README.txt
+   libpng-1.2.45beta01-KNOWNBUGS.txt
+   libpng-1.2.45beta01-LICENSE.txt
+   libpng-1.2.45beta01-Y2K-compliance.txt
+   libpng-1.2.45beta01-[previous version]-diff.txt
 
-Changes since the last public release (1.2.43):
+Changes since the last public release (1.2.42):
 
-version 1.2.44 [June 26, 2010]
+version 1.2.43beta01 [January 27, 2010]
+  Updated CMakeLists.txt for consistent indentation and to avoid an
+    unclosed if-statement warning (Philip Lowman).
+  Removed "#ifdef PNG_1_0_X / #endif" surrounding
+    PNG_READ_16_TO_8_SUPPORTED and PNG_READ_GRAY_TO_RGB_SUPPORTED
+    in pngconf.h.  These were added in libpng-1.2.41beta08 and libpng-1.0.51,
+    which introduced a binary incompatibility with libpng-1.0.50.
+  Backported new png_decompress_chunk() algorithm from libpng-1.4.1
 
-  Rewrote png_process_IDAT_data to consistently treat extra data as warnings
-    and handle end conditions more cleanly.
+version 1.2.43beta02 [February 1, 2010]
+  Backported two-pass png_decompress_chunk() algorithm from libpng-1.4.1
+
+version 1.2.43beta03 [February 6, 2010]
+  Backported fast png_push_save_buffer() algorithm from libpng-1.4.1
+
+version 1.2.43beta04 [February 8, 2010]
+  Reverted recent changes to png_push_save-buffer().
+  Removed PNGAPI declaration of png_calloc() and png_write_sig() in
+    1ibpng-1.2.X, introduced by mistake in libpng-1.2.41.
+  Return allocated "old_buffer" in png_push_save_buffer() before png_error(),
+    to avoid a potential memory leak.
+
+version 1.2.43beta05 [February 8, 2010]
+  Ported rewritten png_decompress_chunk() by John Bowler from libpng-1.4.1.
+
+version 1.0.53rc01 and 1.2.43rc01 [February 18, 2010]
+  No changes.
+
+version 1.0.53rc02 and 1.2.43rc02 [February 19, 2010]
+  Define _ALL_SOURCE in configure.ac, makefile.aix, and CMakeLists.txt
+    when using AIX compiler.
+
+version 1.0.53 and 1.2.43 [February 25, 2010]
+  Removed unused gzio.c from contrib/pngminim gather and makefile scripts
+
+version 1.2.44beta01 [June 18, 2010]
+  In pngpread.c: png_push_have_row() add check for new_row > height
   Removed the now-redundant check for out-of-bounds new_row from example.c
 
+version 1.2.44beta02 [June 19, 2010]
+  In pngpread.c: png_push_process_row() add check for too many rows.
+  Removed the now-redundant check for new_row > height in png_push_have_row().
+
+version 1.2.44beta03 [June 20, 2010]
+  Rewrote png_process_IDAT_data to consistently treat extra data as warnings
+    and handle end conditions more cleanly.
+  Removed the new (beta02) check in png_push_process_row().
+
+version 1.2.44rc01 [June 21, 2010]
+  Revised some comments in png_process_IDAT_data().
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 
+version 1.2.44rc02 [June 22, 2010]
+  Stop memory leak when reading a malformed sCAL chunk.
+
+version 1.2.44rc03 [June 23, 2010]
+  Revised pngpread.c patch of beta05 to avoid an endless loop.
+
+version 1.2.44 [June 26, 2010]
+  Updated some of the "last changed" dates.
+
+version 1.2.45beta01 [June 7, 2011]
+  Fixed 1-byte uninitialized memory reference in png_format_buffer() (Bug
+    report by Frank Busse, related to CVE-2004-0421).
+  Pass "" instead of '\0' to png_default_error() in png_err().  This mistake
+    was introduced in libpng-1.2.20beta01.
+
 (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement
 to subscribe) or to glennrp at users.sourceforge.net

CHANGES

@@ -1478,7 +1478,7 @@ version 1.2.9beta5 [March 4, 2006]
   Removed trailing blanks from source files.
   Put version and date of latest change in each source file, and changed
     copyright year accordingly.
-  More cleanup of configure.ac, Makefile.ac, and associated scripts.
+  More cleanup of configure.ac, Makefile.am, and associated scripts.
   Restored scripts/makefile.elf which was inadvertently deleted.
 
 version 1.2.9beta6 [March 6, 2006]
@@ -2704,6 +2704,12 @@ version 1.2.44rc03 [June 23, 2010]
 version 1.2.44 [June 26, 2010]
   Updated some of the "last changed" dates.
 
+version 1.2.45beta01 [June 7, 2011]
+  Fixed 1-byte uninitialized memory reference in png_format_buffer() (Bug
+    report by Frank Busse, related to CVE-2004-0421).
+  Pass "" instead of '\0' to png_default_error() in png_err().  This mistake
+    was introduced in libpng-1.2.20beta01.
+
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement

pngerror.c

@@ -87,12 +87,17 @@ png_error(png_structp png_ptr, png_const_charp error_message)
 void PNGAPI
 png_err(png_structp png_ptr)
 {
+   /* Prior to 1.2.45 the error_fn received a NULL pointer, expressed
+    * erroneously as '\0', instead of the empty string "".  This was
+    * apparently an error, introduced in libpng-1.2.20, and png_default_error
+    * will crash in this case.
+    */
    if (png_ptr != NULL && png_ptr->error_fn != NULL)
-      (*(png_ptr->error_fn))(png_ptr, '\0');
+      (*(png_ptr->error_fn))(png_ptr, "");
 
    /* If the custom handler doesn't exist, or if it returns,
       use the default handler, which will not return. */
-   png_default_error(png_ptr, '\0');
+   png_default_error(png_ptr, "");
 }
 #endif /* PNG_ERROR_TEXT_SUPPORTED */
 
@@ -181,8 +186,13 @@ png_format_buffer(png_structp png_ptr, png_charp buffer, png_const_charp
    {
       buffer[iout++] = ':';
       buffer[iout++] = ' ';
-      png_memcpy(buffer + iout, error_message, PNG_MAX_ERROR_TEXT);
-      buffer[iout + PNG_MAX_ERROR_TEXT - 1] = '\0';
+
+      iin = 0;
+      while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] != '\0')
+         buffer[iout++] = error_message[iin++];
+
+      /* iin < PNG_MAX_ERROR_TEXT, so the following is safe: */
+      buffer[iout] = '\0';
    }
 }