[libpng12] Fixed off-by-one bug in png_handle_sCAL() when using fixed point
arithmetic, causing out-of-bounds read in png_set_sCAL() because of failure
to copy the string terminators (Franke Busse).
diff --git a/ANNOUNCE b/ANNOUNCE
index 9ff25e6..671e008 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,5 +1,5 @@
-Libpng 1.2.48beta01 - February 22, 2012
+Libpng 1.2.48beta01 - February 27, 2012
This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version.
@@ -42,13 +42,17 @@
Changes since the last public release (1.2.46):
-version 1.2.48beta01 [February 22, 2012]
+version 1.2.48beta01 [February 27, 2012]
Removed two useless #ifdef directives from pngread.c and one from pngrutil.c
Eliminated redundant png_push_read_tEXt|zTXt|iTXt|unknown code from
pngpread.c and use the sequential png_handle_tEXt, etc., in pngrutil.c;
now that png_ptr->buffer is inaccessible to applications, the special
handling is no longer useful.
Fixed bug with png_handle_hIST with odd chunk length (Frank Busse).
+ Fixed incorrect type (int copy should be png_size_t copy) in png_inflate().
+ Fixed off-by-one bug in png_handle_sCAL() when using fixed point arithmetic,
+ causing out-of-bounds read in png_set_sCAL() because of failure to copy
+ the string terminators (Franke Busse).
(subscription required; visit
https://lists.sourceforge.net/lists/listinfo/png-mng-implement
diff --git a/CHANGES b/CHANGES
index 50b5fbb..aed693e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2741,17 +2741,23 @@
version 1.0.57rc01 and 1.2.47rc01 [February 17, 2012]
Fixed CVE-2011-3026 buffer overrun bug.
+ Fixed CVE-2011-3026 buffer overrun bug. This bug was introduced when
+ iCCP chunk support was added at libpng-1.0.6.
version 1.0.57 and 1.2.47 [February 18, 2012]
No changes.
-version 1.2.48beta01 [February 22, 2012]
+version 1.2.48beta01 [February 27, 2012]
Removed two useless #ifdef directives from pngread.c and one from pngrutil.c
Eliminated redundant png_push_read_tEXt|zTXt|iTXt|unknown code from
pngpread.c and use the sequential png_handle_tEXt, etc., in pngrutil.c;
now that png_ptr->buffer is inaccessible to applications, the special
handling is no longer useful.
Fixed bug with png_handle_hIST with odd chunk length (Frank Busse).
+ Fixed incorrect type (int copy should be png_size_t copy) in png_inflate().
+ Fixed off-by-one bug in png_handle_sCAL() when using fixed point arithmetic,
+ causing out-of-bounds read in png_set_sCAL() because of failure to copy
+ the string terminators (Franke Busse).
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
diff --git a/pngrutil.c b/pngrutil.c
index 38a5ad6..7154dd6 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -1,7 +1,7 @@
/* pngrutil.c - utilities to read a PNG file
*
- * Last changed in libpng 1.2.48 [February 22, 2012]
+ * Last changed in libpng 1.2.48 [February 27, 2012]
* Copyright (c) 1998-2012 Glenn Randers-Pehrson
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -247,8 +247,8 @@
{
if (output != 0 && output_size > count)
{
- int copy = output_size - count;
- if (avail < copy) copy = avail;
+ png_size_t copy = output_size - count;
+ if ((png_size_t) avail < copy) copy = (png_size_t) avail;
png_memcpy(output + count, png_ptr->zbuf, copy);
}
count += avail;
@@ -1858,11 +1858,11 @@
png_ptr->chunkdata = NULL;
return;
}
- png_memcpy(swidth, ep, (png_size_t)png_strlen(ep));
+ png_memcpy(swidth, ep, (png_size_t)png_strlen(ep) + 1);
#endif
#endif
- for (ep = png_ptr->chunkdata; *ep; ep++)
+ for (ep = png_ptr->chunkdata + 1; *ep; ep++)
/* Empty loop */ ;
ep++;
@@ -1902,7 +1902,7 @@
#endif
return;
}
- png_memcpy(sheight, ep, (png_size_t)png_strlen(ep));
+ png_memcpy(sheight, ep, (png_size_t)png_strlen(ep) + 1);
#endif
#endif