From afd39b47f7c326d090f4235f83086ffc9fd8dab9 Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Thu, 6 Nov 2014 08:26:18 -0600 Subject: [PATCH] [libpng12] Avoid out-of-bounds memory access while checking version string in pngread.c and pngwrite.c --- ANNOUNCE | 6 ++++-- CHANGES | 4 +++- pngread.c | 18 ++++++++++++------ pngwrite.c | 21 +++++++++++++++------ 4 files changed, 34 insertions(+), 15 deletions(-) diff --git a/ANNOUNCE b/ANNOUNCE index df6d0c05..64b309bd 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,5 +1,5 @@ -Libpng 1.2.52beta01 - February 6, 2014 +Libpng 1.2.52beta01 - November 6, 2014 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -43,7 +43,9 @@ Other information: Changes since the last public release (1.2.51): -version 1.2.52beta01 [February 6, 2014] +version 1.2.52beta01 [November 6, 2014] + Avoid out-of-bounds memory access while checking version string in + pngread.c and pngwrite.c Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/CHANGES b/CHANGES index 8c8d0614..95554512 100644 --- a/CHANGES +++ b/CHANGES @@ -2814,7 +2814,9 @@ version 1.2.51rc04 [February 3, 2014] version 1.0.61 and 1.2.51 [February 6, 2014] Added an #ifdef PNG_FIXED_POINT_SUPPORTED/#endif in pngset.c -version 1.2.52beta01 [February 6, 2014] +version 1.2.52beta01 [November 6, 2014] + Avoid out-of-bounds memory access while checking version string in + pngread.c and pngwrite.c Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/pngread.c b/pngread.c index 2197ff17..9ade1b31 100644 --- a/pngread.c +++ b/pngread.c @@ -100,16 +100,22 @@ png_create_read_struct_2(png_const_charp user_png_ver, png_voidp error_ptr, png_set_error_fn(png_ptr, error_ptr, error_fn, warn_fn); - if (user_png_ver) + if (user_png_ver != NULL) { - i = 0; + int found_dots = 0; + i = -1; + do { - if (user_png_ver[i] != png_libpng_ver[i]) + i++; + if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i]) png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH; - } while (png_libpng_ver[i++]); - } - else + if (user_png_ver[i] == '.') + found_dots++; + } while (found_dots < 2 && user_png_ver[i] != 0 && + PNG_LIBPNG_VER_STRING[i] != 0); + } + else png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH; diff --git a/pngwrite.c b/pngwrite.c index 1d94404d..c5cd9ec8 100644 --- a/pngwrite.c +++ b/pngwrite.c @@ -525,15 +525,23 @@ png_create_write_struct_2(png_const_charp user_png_ver, png_voidp error_ptr, #endif /* PNG_USER_MEM_SUPPORTED */ png_set_error_fn(png_ptr, error_ptr, error_fn, warn_fn); - if (user_png_ver) + if (user_png_ver != NULL) { - i = 0; + int found_dots = 0; + i = -1; + do { - if (user_png_ver[i] != png_libpng_ver[i]) + i++; + if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i]) png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH; - } while (png_libpng_ver[i++]); + if (user_png_ver[i] == '.') + found_dots++; + } while (found_dots < 2 && user_png_ver[i] != 0 && + PNG_LIBPNG_VER_STRING[i] != 0); } + else + png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH; if (png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH) { @@ -684,8 +692,9 @@ png_write_init_3(png_structpp ptr_ptr, png_const_charp user_png_ver, png_warning(png_ptr, "Application uses deprecated png_write_init() and should be recompiled."); #endif - } - } while (png_libpng_ver[i++]); + } + i++; + } while (png_libpng_ver[i] != 0 && user_png_ver[i] != 0); png_debug(1, "in png_write_init_3");