[devel] Fixed 1-byte uninitialized memory reference in png_format_buffer()
(Bug report by Frank Busse, related to CVE-2004-0421).
diff --git a/ANNOUNCE b/ANNOUNCE
index 43c34ca..f1c0414 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,5 +1,5 @@
-Libpng 1.5.3rc01 - June 3, 2011
+Libpng 1.5.3rc02 - June 7, 2011
This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version.
@@ -9,20 +9,20 @@
Source files with LF line endings (for Unix/Linux) and with a
"configure" script
- 1.5.3rc01.tar.xz (LZMA-compressed, recommended)
- 1.5.3rc01.tar.gz
- 1.5.3rc01.tar.bz2
+ 1.5.3rc02.tar.xz (LZMA-compressed, recommended)
+ 1.5.3rc02.tar.gz
+ 1.5.3rc02.tar.bz2
Source files with CRLF line endings (for Windows), without the
"configure" script
- lp153r01.7z (LZMA-compressed, recommended)
- lp153r01.zip
+ lp153r02.7z (LZMA-compressed, recommended)
+ lp153r02.zip
Other information:
- 1.5.3rc01-README.txt
- 1.5.3rc01-LICENSE.txt
+ 1.5.3rc02-README.txt
+ 1.5.3rc02-LICENSE.txt
Changes since the last public release (1.5.2):
@@ -125,7 +125,9 @@
Added memory overwrite and palette image checks to pngvalid.c
Previously palette image code was poorly checked. Since the transformation
code has a special palette path in most cases this was a severe weakness.
- Minor cleanup and some extra checking in pngrutil.c and pngrtran.c
+ Minor cleanup and some extra checking in pngrutil.c and pngrtran.c. When
+ expanding an indexed image, always expand to RGBA if transparency is
+ present.
Version 1.5.3beta09 [May 17, 2011]
Reversed earlier 1.5.3 change of transformation order; move png_expand_16 back.
@@ -148,6 +150,10 @@
Version 1.5.3rc01 [June 3, 2011]
No changes.
+Version 1.5.3rc02 [June 7, 2011]
+ Fixed 1-byte uninitialized memory reference in png_format_buffer() (Bug
+ report by Frank Busse, related to CVE-2004-0421).
+
Send comments/corrections/commendations to png-mng-implement at lists.sf.net:
(subscription required; visit
https://lists.sourceforge.net/lists/listinfo/png-mng-implement
diff --git a/CHANGES b/CHANGES
index 37b71b1..41214cc 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3386,7 +3386,9 @@
Added memory overwrite and palette image checks to pngvalid.c
Previously palette image code was poorly checked. Since the transformation
code has a special palette path in most cases this was a severe weakness.
- Minor cleanup and some extra checking in pngrutil.c and pngrtran.c
+ Minor cleanup and some extra checking in pngrutil.c and pngrtran.c. When
+ expanding an indexed image, always expand to RGBA if transparency is
+ present.
Version 1.5.3beta09 [May 17, 2011]
Reversed earlier 1.5.3 change of transformation order; move png_expand_16
@@ -3411,6 +3413,10 @@
Version 1.5.3rc01 [June 3, 2011]
No changes.
+Version 1.5.3rc02 [June 7, 2011]
+ Fixed 1-byte uninitialized memory reference in png_format_buffer() (Bug
+ report by Frank Busse, related to CVE-2004-0421).
+
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
https://lists.sourceforge.net/lists/listinfo/png-mng-implement
diff --git a/pngerror.c b/pngerror.c
index 4881dfe..419f83a 100644
--- a/pngerror.c
+++ b/pngerror.c
@@ -400,8 +400,13 @@
{
buffer[iout++] = ':';
buffer[iout++] = ' ';
- png_memcpy(buffer + iout, error_message, PNG_MAX_ERROR_TEXT);
- buffer[iout + PNG_MAX_ERROR_TEXT - 1] = '\0';
+
+ iin = 0;
+ while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] != '\0')
+ buffer[iout++] = error_message[iin++];
+
+ /* iin < PNG_MAX_ERROR_TEXT, so the following is safe: */
+ buffer[iout] = '\0';
}
}
#endif /* PNG_WARNINGS_SUPPORTED || PNG_ERROR_TEXT_SUPPORTED */
