[devel] Fixed 1-byte uninitialized memory reference in png_format_buffer() (Bug report by Frank Busse, related to CVE-2004-0421).

commit: 07e1d34a8498ebcdaf33a438b6f476f84f7f2b53 [log] [tgz]
author: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> Tue Jun 07 14:35:30 2011 -0500
committer: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> Tue Jun 07 14:35:30 2011 -0500
tree: ddc5b5ef12ac44848366a1b4dd1edc6843e2aa4c
parent: 36edbb5eee1091a13f1058ee1ec7d518028a583a [diff] [blame]
diff --git a/pngerror.c b/pngerror.c
index 4881dfe..419f83a 100644
--- a/pngerror.c
+++ b/pngerror.c

@@ -400,8 +400,13 @@
    {
       buffer[iout++] = ':';
       buffer[iout++] = ' ';
-      png_memcpy(buffer + iout, error_message, PNG_MAX_ERROR_TEXT);
-      buffer[iout + PNG_MAX_ERROR_TEXT - 1] = '\0';
+
+      iin = 0;
+      while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] != '\0')
+         buffer[iout++] = error_message[iin++];
+
+      /* iin < PNG_MAX_ERROR_TEXT, so the following is safe: */
+      buffer[iout] = '\0';
    }
 }
 #endif /* PNG_WARNINGS_SUPPORTED || PNG_ERROR_TEXT_SUPPORTED */
commit	07e1d34a8498ebcdaf33a438b6f476f84f7f2b53	[log] [tgz]
author	Glenn Randers-Pehrson <glennrp at users.sourceforge.net>	Tue Jun 07 14:35:30 2011 -0500
committer	Glenn Randers-Pehrson <glennrp at users.sourceforge.net>	Tue Jun 07 14:35:30 2011 -0500
tree	ddc5b5ef12ac44848366a1b4dd1edc6843e2aa4c
parent	36edbb5eee1091a13f1058ee1ec7d518028a583a [diff] [blame]