[legacy] Fixed 1-byte uninitialized memory reference in png_format_buffer()

(Bug report by Frank Busse, related to CVE-2004-0421).

Pass "" instead of '\0' to png_default_error() in png_err().  This mistake
was introduced in libpng-1.2.20beta01.
This commit is contained in:
Glenn Randers-Pehrson 2011-06-07 15:17:35 -05:00
parent 7bda306764
commit 950f965bca
3 changed files with 103 additions and 27 deletions

104
ANNOUNCE
View File

@ -1,54 +1,114 @@
Libpng 1.2.44 - June 26, 2010 Libpng 1.2.45beta01 - June 7, 2011
This is a public release of libpng, intended for use in production codes. This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version.
Files available for download: Files available for download:
Source files with LF line endings (for Unix/Linux) and with a Source files with LF line endings (for Unix/Linux) and with a
"configure" script "configure" script
libpng-1.2.44.tar.xz (LZMA-compressed, recommended) libpng-1.2.45beta01.tar.xz (LZMA-compressed, recommended)
libpng-1.2.44.tar.gz libpng-1.2.45beta01.tar.gz
libpng-1.2.44.tar.bz2 libpng-1.2.45beta01.tar.bz2
Source files with LF line endings (for Unix/Linux) without the Source files with LF line endings (for Unix/Linux) without the
"configure" script "configure" script
libpng-1.2.44-no-config.tar.xz (LZMA-compressed, recommended) libpng-1.2.45beta01-no-config.tar.xz (LZMA-compressed, recommended)
libpng-1.2.44-no-config.tar.gz libpng-1.2.45beta01-no-config.tar.gz
libpng-1.2.44-no-config.tar.bz2 libpng-1.2.45beta01-no-config.tar.bz2
Source files with CRLF line endings (for Windows), without the Source files with CRLF line endings (for Windows), without the
"configure" script "configure" script
lpng1244.zip lp1245b01.zip
lpng1244.7z lp1245b01.7z
lpng1244.tar.bz2 lp1245b01.tar.bz2
Project files Project files
libpng-1.2.44-project-netware.zip libpng-1.2.45beta01-project-netware.zip
libpng-1.2.44-project-wince.zip libpng-1.2.45beta01-project-wince.zip
Other information: Other information:
libpng-1.2.44-README.txt libpng-1.2.45beta01-README.txt
libpng-1.2.44-KNOWNBUGS.txt libpng-1.2.45beta01-KNOWNBUGS.txt
libpng-1.2.44-LICENSE.txt libpng-1.2.45beta01-LICENSE.txt
libpng-1.2.44-Y2K-compliance.txt libpng-1.2.45beta01-Y2K-compliance.txt
libpng-1.2.44-[previous version]-diff.txt libpng-1.2.45beta01-[previous version]-diff.txt
Changes since the last public release (1.2.43): Changes since the last public release (1.2.42):
version 1.2.44 [June 26, 2010] version 1.2.43beta01 [January 27, 2010]
Updated CMakeLists.txt for consistent indentation and to avoid an
unclosed if-statement warning (Philip Lowman).
Removed "#ifdef PNG_1_0_X / #endif" surrounding
PNG_READ_16_TO_8_SUPPORTED and PNG_READ_GRAY_TO_RGB_SUPPORTED
in pngconf.h. These were added in libpng-1.2.41beta08 and libpng-1.0.51,
which introduced a binary incompatibility with libpng-1.0.50.
Backported new png_decompress_chunk() algorithm from libpng-1.4.1
Rewrote png_process_IDAT_data to consistently treat extra data as warnings version 1.2.43beta02 [February 1, 2010]
and handle end conditions more cleanly. Backported two-pass png_decompress_chunk() algorithm from libpng-1.4.1
version 1.2.43beta03 [February 6, 2010]
Backported fast png_push_save_buffer() algorithm from libpng-1.4.1
version 1.2.43beta04 [February 8, 2010]
Reverted recent changes to png_push_save-buffer().
Removed PNGAPI declaration of png_calloc() and png_write_sig() in
1ibpng-1.2.X, introduced by mistake in libpng-1.2.41.
Return allocated "old_buffer" in png_push_save_buffer() before png_error(),
to avoid a potential memory leak.
version 1.2.43beta05 [February 8, 2010]
Ported rewritten png_decompress_chunk() by John Bowler from libpng-1.4.1.
version 1.0.53rc01 and 1.2.43rc01 [February 18, 2010]
No changes.
version 1.0.53rc02 and 1.2.43rc02 [February 19, 2010]
Define _ALL_SOURCE in configure.ac, makefile.aix, and CMakeLists.txt
when using AIX compiler.
version 1.0.53 and 1.2.43 [February 25, 2010]
Removed unused gzio.c from contrib/pngminim gather and makefile scripts
version 1.2.44beta01 [June 18, 2010]
In pngpread.c: png_push_have_row() add check for new_row > height
Removed the now-redundant check for out-of-bounds new_row from example.c Removed the now-redundant check for out-of-bounds new_row from example.c
version 1.2.44beta02 [June 19, 2010]
In pngpread.c: png_push_process_row() add check for too many rows.
Removed the now-redundant check for new_row > height in png_push_have_row().
version 1.2.44beta03 [June 20, 2010]
Rewrote png_process_IDAT_data to consistently treat extra data as warnings
and handle end conditions more cleanly.
Removed the new (beta02) check in png_push_process_row().
version 1.2.44rc01 [June 21, 2010]
Revised some comments in png_process_IDAT_data().
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
version 1.2.44rc02 [June 22, 2010]
Stop memory leak when reading a malformed sCAL chunk.
version 1.2.44rc03 [June 23, 2010]
Revised pngpread.c patch of beta05 to avoid an endless loop.
version 1.2.44 [June 26, 2010]
Updated some of the "last changed" dates.
version 1.2.45beta01 [June 7, 2011]
Fixed 1-byte uninitialized memory reference in png_format_buffer() (Bug
report by Frank Busse, related to CVE-2004-0421).
Pass "" instead of '\0' to png_default_error() in png_err(). This mistake
was introduced in libpng-1.2.20beta01.
(subscription required; visit (subscription required; visit
https://lists.sourceforge.net/lists/listinfo/png-mng-implement https://lists.sourceforge.net/lists/listinfo/png-mng-implement
to subscribe) or to glennrp at users.sourceforge.net to subscribe) or to glennrp at users.sourceforge.net

View File

@ -1478,7 +1478,7 @@ version 1.2.9beta5 [March 4, 2006]
Removed trailing blanks from source files. Removed trailing blanks from source files.
Put version and date of latest change in each source file, and changed Put version and date of latest change in each source file, and changed
copyright year accordingly. copyright year accordingly.
More cleanup of configure.ac, Makefile.ac, and associated scripts. More cleanup of configure.ac, Makefile.am, and associated scripts.
Restored scripts/makefile.elf which was inadvertently deleted. Restored scripts/makefile.elf which was inadvertently deleted.
version 1.2.9beta6 [March 6, 2006] version 1.2.9beta6 [March 6, 2006]
@ -2704,6 +2704,12 @@ version 1.2.44rc03 [June 23, 2010]
version 1.2.44 [June 26, 2010] version 1.2.44 [June 26, 2010]
Updated some of the "last changed" dates. Updated some of the "last changed" dates.
version 1.2.45beta01 [June 7, 2011]
Fixed 1-byte uninitialized memory reference in png_format_buffer() (Bug
report by Frank Busse, related to CVE-2004-0421).
Pass "" instead of '\0' to png_default_error() in png_err(). This mistake
was introduced in libpng-1.2.20beta01.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit
https://lists.sourceforge.net/lists/listinfo/png-mng-implement https://lists.sourceforge.net/lists/listinfo/png-mng-implement

View File

@ -87,12 +87,17 @@ png_error(png_structp png_ptr, png_const_charp error_message)
void PNGAPI void PNGAPI
png_err(png_structp png_ptr) png_err(png_structp png_ptr)
{ {
/* Prior to 1.2.45 the error_fn received a NULL pointer, expressed
* erroneously as '\0', instead of the empty string "". This was
* apparently an error, introduced in libpng-1.2.20, and png_default_error
* will crash in this case.
*/
if (png_ptr != NULL && png_ptr->error_fn != NULL) if (png_ptr != NULL && png_ptr->error_fn != NULL)
(*(png_ptr->error_fn))(png_ptr, '\0'); (*(png_ptr->error_fn))(png_ptr, "");
/* If the custom handler doesn't exist, or if it returns, /* If the custom handler doesn't exist, or if it returns,
use the default handler, which will not return. */ use the default handler, which will not return. */
png_default_error(png_ptr, '\0'); png_default_error(png_ptr, "");
} }
#endif /* PNG_ERROR_TEXT_SUPPORTED */ #endif /* PNG_ERROR_TEXT_SUPPORTED */
@ -181,8 +186,13 @@ png_format_buffer(png_structp png_ptr, png_charp buffer, png_const_charp
{ {
buffer[iout++] = ':'; buffer[iout++] = ':';
buffer[iout++] = ' '; buffer[iout++] = ' ';
png_memcpy(buffer + iout, error_message, PNG_MAX_ERROR_TEXT);
buffer[iout + PNG_MAX_ERROR_TEXT - 1] = '\0'; iin = 0;
while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] != '\0')
buffer[iout++] = error_message[iin++];
/* iin < PNG_MAX_ERROR_TEXT, so the following is safe: */
buffer[iout] = '\0';
} }
} }