[legacy] Fixed 1-byte uninitialized memory reference in png_format_buffer()

(Bug report by Frank Busse, related to CVE-2004-0421). Pass "" instead of '\0' to png_default_error() in png_err(). This mistake was introduced in libpng-1.2.20beta01.
2011-06-07 15:17:35 -05:00 · 2011-06-07 15:17:35 -05:00 · 950f965bca
commit 950f965bca
parent 7bda306764
3 changed files with 103 additions and 27 deletions
--- a/104
+++ b/104
@ -1,54 +1,114 @@
-Libpng 1.2.44 - June 26, 2010
+Libpng 1.2.45beta01 - June 7, 2011
-This is a public release of libpng, intended for use in production codes.
+This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
 Files available for download:
 Source files with LF line endings (for Unix/Linux) and with a
 "configure" script
-   libpng-1.2.44.tar.xz (LZMA-compressed, recommended)
+   libpng-1.2.45beta01.tar.xz (LZMA-compressed, recommended)
-   libpng-1.2.44.tar.gz
+   libpng-1.2.45beta01.tar.gz
-   libpng-1.2.44.tar.bz2
+   libpng-1.2.45beta01.tar.bz2
 Source files with LF line endings (for Unix/Linux) without the
 "configure" script
-   libpng-1.2.44-no-config.tar.xz (LZMA-compressed, recommended)
+   libpng-1.2.45beta01-no-config.tar.xz (LZMA-compressed, recommended)
-   libpng-1.2.44-no-config.tar.gz
+   libpng-1.2.45beta01-no-config.tar.gz
-   libpng-1.2.44-no-config.tar.bz2
+   libpng-1.2.45beta01-no-config.tar.bz2
 Source files with CRLF line endings (for Windows), without the
 "configure" script
-   lpng1244.zip
+   lp1245b01.zip
-   lpng1244.7z
+   lp1245b01.7z
-   lpng1244.tar.bz2
+   lp1245b01.tar.bz2
 Project files
-   libpng-1.2.44-project-netware.zip
+   libpng-1.2.45beta01-project-netware.zip
-   libpng-1.2.44-project-wince.zip
+   libpng-1.2.45beta01-project-wince.zip
 Other information:
-   libpng-1.2.44-README.txt
+   libpng-1.2.45beta01-README.txt
-   libpng-1.2.44-KNOWNBUGS.txt
+   libpng-1.2.45beta01-KNOWNBUGS.txt
-   libpng-1.2.44-LICENSE.txt
+   libpng-1.2.45beta01-LICENSE.txt
-   libpng-1.2.44-Y2K-compliance.txt
+   libpng-1.2.45beta01-Y2K-compliance.txt
-   libpng-1.2.44-[previous version]-diff.txt
+   libpng-1.2.45beta01-[previous version]-diff.txt
-Changes since the last public release (1.2.43):
+Changes since the last public release (1.2.42):
-version 1.2.44 [June 26, 2010]
+version 1.2.43beta01 [January 27, 2010]
  Updated CMakeLists.txt for consistent indentation and to avoid an
    unclosed if-statement warning (Philip Lowman).
  Removed "#ifdef PNG_1_0_X / #endif" surrounding
    PNG_READ_16_TO_8_SUPPORTED and PNG_READ_GRAY_TO_RGB_SUPPORTED
    in pngconf.h.  These were added in libpng-1.2.41beta08 and libpng-1.0.51,
    which introduced a binary incompatibility with libpng-1.0.50.
  Backported new png_decompress_chunk() algorithm from libpng-1.4.1
-  Rewrote png_process_IDAT_data to consistently treat extra data as warnings
+version 1.2.43beta02 [February 1, 2010]
-    and handle end conditions more cleanly.
+  Backported two-pass png_decompress_chunk() algorithm from libpng-1.4.1
 version 1.2.43beta03 [February 6, 2010]
  Backported fast png_push_save_buffer() algorithm from libpng-1.4.1
 version 1.2.43beta04 [February 8, 2010]
  Reverted recent changes to png_push_save-buffer().
  Removed PNGAPI declaration of png_calloc() and png_write_sig() in
    1ibpng-1.2.X, introduced by mistake in libpng-1.2.41.
  Return allocated "old_buffer" in png_push_save_buffer() before png_error(),
    to avoid a potential memory leak.
 version 1.2.43beta05 [February 8, 2010]
  Ported rewritten png_decompress_chunk() by John Bowler from libpng-1.4.1.
 version 1.0.53rc01 and 1.2.43rc01 [February 18, 2010]
  No changes.
 version 1.0.53rc02 and 1.2.43rc02 [February 19, 2010]
  Define _ALL_SOURCE in configure.ac, makefile.aix, and CMakeLists.txt
    when using AIX compiler.
 version 1.0.53 and 1.2.43 [February 25, 2010]
  Removed unused gzio.c from contrib/pngminim gather and makefile scripts
 version 1.2.44beta01 [June 18, 2010]
  In pngpread.c: png_push_have_row() add check for new_row > height
  Removed the now-redundant check for out-of-bounds new_row from example.c
 version 1.2.44beta02 [June 19, 2010]
  In pngpread.c: png_push_process_row() add check for too many rows.
  Removed the now-redundant check for new_row > height in png_push_have_row().
 version 1.2.44beta03 [June 20, 2010]
  Rewrote png_process_IDAT_data to consistently treat extra data as warnings
    and handle end conditions more cleanly.
  Removed the new (beta02) check in png_push_process_row().
 version 1.2.44rc01 [June 21, 2010]
  Revised some comments in png_process_IDAT_data().
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 version 1.2.44rc02 [June 22, 2010]
  Stop memory leak when reading a malformed sCAL chunk.
 version 1.2.44rc03 [June 23, 2010]
  Revised pngpread.c patch of beta05 to avoid an endless loop.
 version 1.2.44 [June 26, 2010]
  Updated some of the "last changed" dates.
 version 1.2.45beta01 [June 7, 2011]
  Fixed 1-byte uninitialized memory reference in png_format_buffer() (Bug
    report by Frank Busse, related to CVE-2004-0421).
  Pass "" instead of '\0' to png_default_error() in png_err().  This mistake
    was introduced in libpng-1.2.20beta01.
 (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement
 to subscribe) or to glennrp at users.sourceforge.net
--- a/8
+++ b/8
@ -1478,7 +1478,7 @@ version 1.2.9beta5 [March 4, 2006]
  Removed trailing blanks from source files.
  Put version and date of latest change in each source file, and changed
    copyright year accordingly.
-  More cleanup of configure.ac, Makefile.ac, and associated scripts.
+  More cleanup of configure.ac, Makefile.am, and associated scripts.
  Restored scripts/makefile.elf which was inadvertently deleted.
 version 1.2.9beta6 [March 6, 2006]
@ -2704,6 +2704,12 @@ version 1.2.44rc03 [June 23, 2010]
 version 1.2.44 [June 26, 2010]
  Updated some of the "last changed" dates.
 version 1.2.45beta01 [June 7, 2011]
  Fixed 1-byte uninitialized memory reference in png_format_buffer() (Bug
    report by Frank Busse, related to CVE-2004-0421).
  Pass "" instead of '\0' to png_default_error() in png_err().  This mistake
    was introduced in libpng-1.2.20beta01.
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement
--- a/pngerror.c
+++ b/pngerror.c
@ -87,12 +87,17 @@ png_error(png_structp png_ptr, png_const_charp error_message)
 void PNGAPI
 png_err(png_structp png_ptr)
 {
   /* Prior to 1.2.45 the error_fn received a NULL pointer, expressed
    * erroneously as '\0', instead of the empty string "".  This was
    * apparently an error, introduced in libpng-1.2.20, and png_default_error
    * will crash in this case.
    */
   if (png_ptr != NULL && png_ptr->error_fn != NULL)
-      (*(png_ptr->error_fn))(png_ptr, '\0');
+      (*(png_ptr->error_fn))(png_ptr, "");
   /* If the custom handler doesn't exist, or if it returns,
      use the default handler, which will not return. */
-   png_default_error(png_ptr, '\0');
+   png_default_error(png_ptr, "");
 }
 #endif /* PNG_ERROR_TEXT_SUPPORTED */
@ -181,8 +186,13 @@ png_format_buffer(png_structp png_ptr, png_charp buffer, png_const_charp
   {
      buffer[iout++] = ':';
      buffer[iout++] = ' ';
-      png_memcpy(buffer + iout, error_message, PNG_MAX_ERROR_TEXT);
+
-      buffer[iout + PNG_MAX_ERROR_TEXT - 1] = '\0';
+      iin = 0;
      while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] != '\0')
         buffer[iout++] = error_message[iin++];
      /* iin < PNG_MAX_ERROR_TEXT, so the following is safe: */
      buffer[iout] = '\0';
   }
 }