From d0bd02c4caf42b144fe1bec76dfbb934fd7407c2 Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Sun, 26 Feb 2012 20:42:28 -0600 Subject: [PATCH] [libpng12] Fixed off-by-one bug in png_handle_sCAL() when using fixed point arithmetic, causing out-of-bounds read in png_set_sCAL() because of failure to copy the string terminators (Franke Busse). --- ANNOUNCE | 8 ++++++-- CHANGES | 8 +++++++- pngrutil.c | 12 ++++++------ 3 files changed, 19 insertions(+), 9 deletions(-) diff --git a/ANNOUNCE b/ANNOUNCE index 9ff25e6d..671e0084 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,5 +1,5 @@ -Libpng 1.2.48beta01 - February 22, 2012 +Libpng 1.2.48beta01 - February 27, 2012 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -42,13 +42,17 @@ Other information: Changes since the last public release (1.2.46): -version 1.2.48beta01 [February 22, 2012] +version 1.2.48beta01 [February 27, 2012] Removed two useless #ifdef directives from pngread.c and one from pngrutil.c Eliminated redundant png_push_read_tEXt|zTXt|iTXt|unknown code from pngpread.c and use the sequential png_handle_tEXt, etc., in pngrutil.c; now that png_ptr->buffer is inaccessible to applications, the special handling is no longer useful. Fixed bug with png_handle_hIST with odd chunk length (Frank Busse). + Fixed incorrect type (int copy should be png_size_t copy) in png_inflate(). + Fixed off-by-one bug in png_handle_sCAL() when using fixed point arithmetic, + causing out-of-bounds read in png_set_sCAL() because of failure to copy + the string terminators (Franke Busse). (subscription required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement diff --git a/CHANGES b/CHANGES index 50b5fbb8..aed693ef 100644 --- a/CHANGES +++ b/CHANGES @@ -2741,17 +2741,23 @@ version 1.2.47beta01 [February 17, 2012] version 1.0.57rc01 and 1.2.47rc01 [February 17, 2012] Fixed CVE-2011-3026 buffer overrun bug. + Fixed CVE-2011-3026 buffer overrun bug. This bug was introduced when + iCCP chunk support was added at libpng-1.0.6. version 1.0.57 and 1.2.47 [February 18, 2012] No changes. -version 1.2.48beta01 [February 22, 2012] +version 1.2.48beta01 [February 27, 2012] Removed two useless #ifdef directives from pngread.c and one from pngrutil.c Eliminated redundant png_push_read_tEXt|zTXt|iTXt|unknown code from pngpread.c and use the sequential png_handle_tEXt, etc., in pngrutil.c; now that png_ptr->buffer is inaccessible to applications, the special handling is no longer useful. Fixed bug with png_handle_hIST with odd chunk length (Frank Busse). + Fixed incorrect type (int copy should be png_size_t copy) in png_inflate(). + Fixed off-by-one bug in png_handle_sCAL() when using fixed point arithmetic, + causing out-of-bounds read in png_set_sCAL() because of failure to copy + the string terminators (Franke Busse). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/pngrutil.c b/pngrutil.c index 38a5ad6f..7154dd63 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -1,7 +1,7 @@ /* pngrutil.c - utilities to read a PNG file * - * Last changed in libpng 1.2.48 [February 22, 2012] + * Last changed in libpng 1.2.48 [February 27, 2012] * Copyright (c) 1998-2012 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) @@ -247,8 +247,8 @@ png_inflate(png_structp png_ptr, const png_byte *data, png_size_t size, { if (output != 0 && output_size > count) { - int copy = output_size - count; - if (avail < copy) copy = avail; + png_size_t copy = output_size - count; + if ((png_size_t) avail < copy) copy = (png_size_t) avail; png_memcpy(output + count, png_ptr->zbuf, copy); } count += avail; @@ -1858,11 +1858,11 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) png_ptr->chunkdata = NULL; return; } - png_memcpy(swidth, ep, (png_size_t)png_strlen(ep)); + png_memcpy(swidth, ep, (png_size_t)png_strlen(ep) + 1); #endif #endif - for (ep = png_ptr->chunkdata; *ep; ep++) + for (ep = png_ptr->chunkdata + 1; *ep; ep++) /* Empty loop */ ; ep++; @@ -1902,7 +1902,7 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) #endif return; } - png_memcpy(sheight, ep, (png_size_t)png_strlen(ep)); + png_memcpy(sheight, ep, (png_size_t)png_strlen(ep) + 1); #endif #endif