From 950f965bca585bcc3d36a86bcca663b513607151 Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Tue, 7 Jun 2011 15:17:35 -0500 Subject: [PATCH] [legacy] Fixed 1-byte uninitialized memory reference in png_format_buffer() (Bug report by Frank Busse, related to CVE-2004-0421). Pass "" instead of '\0' to png_default_error() in png_err(). This mistake was introduced in libpng-1.2.20beta01. --- ANNOUNCE | 104 +++++++++++++++++++++++++++++++++++++++++------------ CHANGES | 8 ++++- pngerror.c | 18 +++++++--- 3 files changed, 103 insertions(+), 27 deletions(-) diff --git a/ANNOUNCE b/ANNOUNCE index c533fd14..38e1efa1 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,54 +1,114 @@ -Libpng 1.2.44 - June 26, 2010 +Libpng 1.2.45beta01 - June 7, 2011 -This is a public release of libpng, intended for use in production codes. +This is not intended to be a public release. It will be replaced +within a few weeks by a public version or by another test version. Files available for download: Source files with LF line endings (for Unix/Linux) and with a "configure" script - libpng-1.2.44.tar.xz (LZMA-compressed, recommended) - libpng-1.2.44.tar.gz - libpng-1.2.44.tar.bz2 + libpng-1.2.45beta01.tar.xz (LZMA-compressed, recommended) + libpng-1.2.45beta01.tar.gz + libpng-1.2.45beta01.tar.bz2 Source files with LF line endings (for Unix/Linux) without the "configure" script - libpng-1.2.44-no-config.tar.xz (LZMA-compressed, recommended) - libpng-1.2.44-no-config.tar.gz - libpng-1.2.44-no-config.tar.bz2 + libpng-1.2.45beta01-no-config.tar.xz (LZMA-compressed, recommended) + libpng-1.2.45beta01-no-config.tar.gz + libpng-1.2.45beta01-no-config.tar.bz2 Source files with CRLF line endings (for Windows), without the "configure" script - lpng1244.zip - lpng1244.7z - lpng1244.tar.bz2 + lp1245b01.zip + lp1245b01.7z + lp1245b01.tar.bz2 Project files - libpng-1.2.44-project-netware.zip - libpng-1.2.44-project-wince.zip + libpng-1.2.45beta01-project-netware.zip + libpng-1.2.45beta01-project-wince.zip Other information: - libpng-1.2.44-README.txt - libpng-1.2.44-KNOWNBUGS.txt - libpng-1.2.44-LICENSE.txt - libpng-1.2.44-Y2K-compliance.txt - libpng-1.2.44-[previous version]-diff.txt + libpng-1.2.45beta01-README.txt + libpng-1.2.45beta01-KNOWNBUGS.txt + libpng-1.2.45beta01-LICENSE.txt + libpng-1.2.45beta01-Y2K-compliance.txt + libpng-1.2.45beta01-[previous version]-diff.txt -Changes since the last public release (1.2.43): +Changes since the last public release (1.2.42): -version 1.2.44 [June 26, 2010] +version 1.2.43beta01 [January 27, 2010] + Updated CMakeLists.txt for consistent indentation and to avoid an + unclosed if-statement warning (Philip Lowman). + Removed "#ifdef PNG_1_0_X / #endif" surrounding + PNG_READ_16_TO_8_SUPPORTED and PNG_READ_GRAY_TO_RGB_SUPPORTED + in pngconf.h. These were added in libpng-1.2.41beta08 and libpng-1.0.51, + which introduced a binary incompatibility with libpng-1.0.50. + Backported new png_decompress_chunk() algorithm from libpng-1.4.1 - Rewrote png_process_IDAT_data to consistently treat extra data as warnings - and handle end conditions more cleanly. +version 1.2.43beta02 [February 1, 2010] + Backported two-pass png_decompress_chunk() algorithm from libpng-1.4.1 + +version 1.2.43beta03 [February 6, 2010] + Backported fast png_push_save_buffer() algorithm from libpng-1.4.1 + +version 1.2.43beta04 [February 8, 2010] + Reverted recent changes to png_push_save-buffer(). + Removed PNGAPI declaration of png_calloc() and png_write_sig() in + 1ibpng-1.2.X, introduced by mistake in libpng-1.2.41. + Return allocated "old_buffer" in png_push_save_buffer() before png_error(), + to avoid a potential memory leak. + +version 1.2.43beta05 [February 8, 2010] + Ported rewritten png_decompress_chunk() by John Bowler from libpng-1.4.1. + +version 1.0.53rc01 and 1.2.43rc01 [February 18, 2010] + No changes. + +version 1.0.53rc02 and 1.2.43rc02 [February 19, 2010] + Define _ALL_SOURCE in configure.ac, makefile.aix, and CMakeLists.txt + when using AIX compiler. + +version 1.0.53 and 1.2.43 [February 25, 2010] + Removed unused gzio.c from contrib/pngminim gather and makefile scripts + +version 1.2.44beta01 [June 18, 2010] + In pngpread.c: png_push_have_row() add check for new_row > height Removed the now-redundant check for out-of-bounds new_row from example.c +version 1.2.44beta02 [June 19, 2010] + In pngpread.c: png_push_process_row() add check for too many rows. + Removed the now-redundant check for new_row > height in png_push_have_row(). + +version 1.2.44beta03 [June 20, 2010] + Rewrote png_process_IDAT_data to consistently treat extra data as warnings + and handle end conditions more cleanly. + Removed the new (beta02) check in png_push_process_row(). + +version 1.2.44rc01 [June 21, 2010] + Revised some comments in png_process_IDAT_data(). Send comments/corrections/commendations to png-mng-implement at lists.sf.net +version 1.2.44rc02 [June 22, 2010] + Stop memory leak when reading a malformed sCAL chunk. + +version 1.2.44rc03 [June 23, 2010] + Revised pngpread.c patch of beta05 to avoid an endless loop. + +version 1.2.44 [June 26, 2010] + Updated some of the "last changed" dates. + +version 1.2.45beta01 [June 7, 2011] + Fixed 1-byte uninitialized memory reference in png_format_buffer() (Bug + report by Frank Busse, related to CVE-2004-0421). + Pass "" instead of '\0' to png_default_error() in png_err(). This mistake + was introduced in libpng-1.2.20beta01. + (subscription required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement to subscribe) or to glennrp at users.sourceforge.net diff --git a/CHANGES b/CHANGES index 90a3e2be..b083de6b 100644 --- a/CHANGES +++ b/CHANGES @@ -1478,7 +1478,7 @@ version 1.2.9beta5 [March 4, 2006] Removed trailing blanks from source files. Put version and date of latest change in each source file, and changed copyright year accordingly. - More cleanup of configure.ac, Makefile.ac, and associated scripts. + More cleanup of configure.ac, Makefile.am, and associated scripts. Restored scripts/makefile.elf which was inadvertently deleted. version 1.2.9beta6 [March 6, 2006] @@ -2704,6 +2704,12 @@ version 1.2.44rc03 [June 23, 2010] version 1.2.44 [June 26, 2010] Updated some of the "last changed" dates. +version 1.2.45beta01 [June 7, 2011] + Fixed 1-byte uninitialized memory reference in png_format_buffer() (Bug + report by Frank Busse, related to CVE-2004-0421). + Pass "" instead of '\0' to png_default_error() in png_err(). This mistake + was introduced in libpng-1.2.20beta01. + Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement diff --git a/pngerror.c b/pngerror.c index 7bc98fb1..8be43d69 100644 --- a/pngerror.c +++ b/pngerror.c @@ -87,12 +87,17 @@ png_error(png_structp png_ptr, png_const_charp error_message) void PNGAPI png_err(png_structp png_ptr) { + /* Prior to 1.2.45 the error_fn received a NULL pointer, expressed + * erroneously as '\0', instead of the empty string "". This was + * apparently an error, introduced in libpng-1.2.20, and png_default_error + * will crash in this case. + */ if (png_ptr != NULL && png_ptr->error_fn != NULL) - (*(png_ptr->error_fn))(png_ptr, '\0'); + (*(png_ptr->error_fn))(png_ptr, ""); /* If the custom handler doesn't exist, or if it returns, use the default handler, which will not return. */ - png_default_error(png_ptr, '\0'); + png_default_error(png_ptr, ""); } #endif /* PNG_ERROR_TEXT_SUPPORTED */ @@ -181,8 +186,13 @@ png_format_buffer(png_structp png_ptr, png_charp buffer, png_const_charp { buffer[iout++] = ':'; buffer[iout++] = ' '; - png_memcpy(buffer + iout, error_message, PNG_MAX_ERROR_TEXT); - buffer[iout + PNG_MAX_ERROR_TEXT - 1] = '\0'; + + iin = 0; + while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] != '\0') + buffer[iout++] = error_message[iin++]; + + /* iin < PNG_MAX_ERROR_TEXT, so the following is safe: */ + buffer[iout] = '\0'; } }