[libpng12] Avoid out-of-bounds memory access while checking version string in

pngread.c and pngwrite.c
This commit is contained in:
Glenn Randers-Pehrson 2014-11-06 08:26:18 -06:00
parent ee6be87332
commit afd39b47f7
4 changed files with 34 additions and 15 deletions

View File

@ -1,5 +1,5 @@
Libpng 1.2.52beta01 - February 6, 2014
Libpng 1.2.52beta01 - November 6, 2014
This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version.
@ -43,7 +43,9 @@ Other information:
Changes since the last public release (1.2.51):
version 1.2.52beta01 [February 6, 2014]
version 1.2.52beta01 [November 6, 2014]
Avoid out-of-bounds memory access while checking version string in
pngread.c and pngwrite.c
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit

View File

@ -2814,7 +2814,9 @@ version 1.2.51rc04 [February 3, 2014]
version 1.0.61 and 1.2.51 [February 6, 2014]
Added an #ifdef PNG_FIXED_POINT_SUPPORTED/#endif in pngset.c
version 1.2.52beta01 [February 6, 2014]
version 1.2.52beta01 [November 6, 2014]
Avoid out-of-bounds memory access while checking version string in
pngread.c and pngwrite.c
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit

View File

@ -100,14 +100,20 @@ png_create_read_struct_2(png_const_charp user_png_ver, png_voidp error_ptr,
png_set_error_fn(png_ptr, error_ptr, error_fn, warn_fn);
if (user_png_ver)
if (user_png_ver != NULL)
{
i = 0;
int found_dots = 0;
i = -1;
do
{
if (user_png_ver[i] != png_libpng_ver[i])
i++;
if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i])
png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
} while (png_libpng_ver[i++]);
if (user_png_ver[i] == '.')
found_dots++;
} while (found_dots < 2 && user_png_ver[i] != 0 &&
PNG_LIBPNG_VER_STRING[i] != 0);
}
else
png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;

View File

@ -525,15 +525,23 @@ png_create_write_struct_2(png_const_charp user_png_ver, png_voidp error_ptr,
#endif /* PNG_USER_MEM_SUPPORTED */
png_set_error_fn(png_ptr, error_ptr, error_fn, warn_fn);
if (user_png_ver)
if (user_png_ver != NULL)
{
i = 0;
int found_dots = 0;
i = -1;
do
{
if (user_png_ver[i] != png_libpng_ver[i])
i++;
if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i])
png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
} while (png_libpng_ver[i++]);
if (user_png_ver[i] == '.')
found_dots++;
} while (found_dots < 2 && user_png_ver[i] != 0 &&
PNG_LIBPNG_VER_STRING[i] != 0);
}
else
png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
if (png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH)
{
@ -685,7 +693,8 @@ png_write_init_3(png_structpp ptr_ptr, png_const_charp user_png_ver,
"Application uses deprecated png_write_init() and should be recompiled.");
#endif
}
} while (png_libpng_ver[i++]);
i++;
} while (png_libpng_ver[i] != 0 && user_png_ver[i] != 0);
png_debug(1, "in png_write_init_3");