[libpng12] Avoid out-of-bounds memory access while checking version string in
pngread.c and pngwrite.c
This commit is contained in:
parent
ee6be87332
commit
afd39b47f7
6
ANNOUNCE
6
ANNOUNCE
@ -1,5 +1,5 @@
|
||||
|
||||
Libpng 1.2.52beta01 - February 6, 2014
|
||||
Libpng 1.2.52beta01 - November 6, 2014
|
||||
|
||||
This is not intended to be a public release. It will be replaced
|
||||
within a few weeks by a public version or by another test version.
|
||||
@ -43,7 +43,9 @@ Other information:
|
||||
|
||||
Changes since the last public release (1.2.51):
|
||||
|
||||
version 1.2.52beta01 [February 6, 2014]
|
||||
version 1.2.52beta01 [November 6, 2014]
|
||||
Avoid out-of-bounds memory access while checking version string in
|
||||
pngread.c and pngwrite.c
|
||||
|
||||
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
|
||||
(subscription required; visit
|
||||
|
4
CHANGES
4
CHANGES
@ -2814,7 +2814,9 @@ version 1.2.51rc04 [February 3, 2014]
|
||||
version 1.0.61 and 1.2.51 [February 6, 2014]
|
||||
Added an #ifdef PNG_FIXED_POINT_SUPPORTED/#endif in pngset.c
|
||||
|
||||
version 1.2.52beta01 [February 6, 2014]
|
||||
version 1.2.52beta01 [November 6, 2014]
|
||||
Avoid out-of-bounds memory access while checking version string in
|
||||
pngread.c and pngwrite.c
|
||||
|
||||
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
|
||||
(subscription required; visit
|
||||
|
14
pngread.c
14
pngread.c
@ -100,14 +100,20 @@ png_create_read_struct_2(png_const_charp user_png_ver, png_voidp error_ptr,
|
||||
|
||||
png_set_error_fn(png_ptr, error_ptr, error_fn, warn_fn);
|
||||
|
||||
if (user_png_ver)
|
||||
if (user_png_ver != NULL)
|
||||
{
|
||||
i = 0;
|
||||
int found_dots = 0;
|
||||
i = -1;
|
||||
|
||||
do
|
||||
{
|
||||
if (user_png_ver[i] != png_libpng_ver[i])
|
||||
i++;
|
||||
if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i])
|
||||
png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
|
||||
} while (png_libpng_ver[i++]);
|
||||
if (user_png_ver[i] == '.')
|
||||
found_dots++;
|
||||
} while (found_dots < 2 && user_png_ver[i] != 0 &&
|
||||
PNG_LIBPNG_VER_STRING[i] != 0);
|
||||
}
|
||||
else
|
||||
png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
|
||||
|
19
pngwrite.c
19
pngwrite.c
@ -525,15 +525,23 @@ png_create_write_struct_2(png_const_charp user_png_ver, png_voidp error_ptr,
|
||||
#endif /* PNG_USER_MEM_SUPPORTED */
|
||||
png_set_error_fn(png_ptr, error_ptr, error_fn, warn_fn);
|
||||
|
||||
if (user_png_ver)
|
||||
if (user_png_ver != NULL)
|
||||
{
|
||||
i = 0;
|
||||
int found_dots = 0;
|
||||
i = -1;
|
||||
|
||||
do
|
||||
{
|
||||
if (user_png_ver[i] != png_libpng_ver[i])
|
||||
i++;
|
||||
if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i])
|
||||
png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
|
||||
} while (png_libpng_ver[i++]);
|
||||
if (user_png_ver[i] == '.')
|
||||
found_dots++;
|
||||
} while (found_dots < 2 && user_png_ver[i] != 0 &&
|
||||
PNG_LIBPNG_VER_STRING[i] != 0);
|
||||
}
|
||||
else
|
||||
png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
|
||||
|
||||
if (png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH)
|
||||
{
|
||||
@ -685,7 +693,8 @@ png_write_init_3(png_structpp ptr_ptr, png_const_charp user_png_ver,
|
||||
"Application uses deprecated png_write_init() and should be recompiled.");
|
||||
#endif
|
||||
}
|
||||
} while (png_libpng_ver[i++]);
|
||||
i++;
|
||||
} while (png_libpng_ver[i] != 0 && user_png_ver[i] != 0);
|
||||
|
||||
png_debug(1, "in png_write_init_3");
|
||||
|
||||
|
Reference in New Issue
Block a user