[devel] Fixed 1-byte uninitialized memory reference in png_format_buffer()

(Bug report by Frank Busse, related to CVE-2004-0421).

ANNOUNCE

@@ -1,5 +1,5 @@
 
-Libpng 1.5.3rc01 - June 3, 2011
+Libpng 1.5.3rc02 - June 7, 2011
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -9,20 +9,20 @@ Files available for download:
 Source files with LF line endings (for Unix/Linux) and with a
 "configure" script
 
-   1.5.3rc01.tar.xz (LZMA-compressed, recommended)
+   1.5.3rc02.tar.xz (LZMA-compressed, recommended)
-   1.5.3rc01.tar.gz
+   1.5.3rc02.tar.gz
-   1.5.3rc01.tar.bz2
+   1.5.3rc02.tar.bz2
 
 Source files with CRLF line endings (for Windows), without the
 "configure" script
 
-   lp153r01.7z  (LZMA-compressed, recommended)
+   lp153r02.7z  (LZMA-compressed, recommended)
-   lp153r01.zip
+   lp153r02.zip
 
 Other information:
 
-   1.5.3rc01-README.txt
+   1.5.3rc02-README.txt
-   1.5.3rc01-LICENSE.txt
+   1.5.3rc02-LICENSE.txt
 
 Changes since the last public release (1.5.2):
 
@@ -125,7 +125,9 @@ Version 1.5.3beta08 [May 16, 2011]
   Added memory overwrite and palette image checks to pngvalid.c
     Previously palette image code was poorly checked. Since the transformation
     code has a special palette path in most cases this was a severe weakness.
-  Minor cleanup and some extra checking in pngrutil.c and pngrtran.c
+  Minor cleanup and some extra checking in pngrutil.c and pngrtran.c. When
+    expanding an indexed image, always expand to RGBA if transparency is
+    present.
 
 Version 1.5.3beta09 [May 17, 2011]
  Reversed earlier 1.5.3 change of transformation order; move png_expand_16 back.
@@ -148,6 +150,10 @@ Version 1.5.3beta10 [May 20, 2011]
 Version 1.5.3rc01 [June 3, 2011]
   No changes.
 
+Version 1.5.3rc02 [June 7, 2011]
+  Fixed 1-byte uninitialized memory reference in png_format_buffer() (Bug
+    report by Frank Busse, related to CVE-2004-0421).
+
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net:
 (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement

CHANGES

@@ -3386,7 +3386,9 @@ Version 1.5.3beta08 [May 16, 2011]
   Added memory overwrite and palette image checks to pngvalid.c
     Previously palette image code was poorly checked. Since the transformation
     code has a special palette path in most cases this was a severe weakness.
-  Minor cleanup and some extra checking in pngrutil.c and pngrtran.c
+  Minor cleanup and some extra checking in pngrutil.c and pngrtran.c. When
+    expanding an indexed image, always expand to RGBA if transparency is
+    present.
 
 Version 1.5.3beta09 [May 17, 2011]
   Reversed earlier 1.5.3 change of transformation order; move png_expand_16
@@ -3411,6 +3413,10 @@ Version 1.5.3beta10 [May 20, 2011]
 Version 1.5.3rc01 [June 3, 2011]
   No changes.
 
+Version 1.5.3rc02 [June 7, 2011]
+  Fixed 1-byte uninitialized memory reference in png_format_buffer() (Bug
+    report by Frank Busse, related to CVE-2004-0421).
+
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement

pngerror.c

@@ -400,8 +400,13 @@ png_format_buffer(png_structp png_ptr, png_charp buffer, png_const_charp
    {
       buffer[iout++] = ':';
       buffer[iout++] = ' ';
-      png_memcpy(buffer + iout, error_message, PNG_MAX_ERROR_TEXT);
+
-      buffer[iout + PNG_MAX_ERROR_TEXT - 1] = '\0';
+      iin = 0;
+      while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] != '\0')
+         buffer[iout++] = error_message[iin++];
+
+      /* iin < PNG_MAX_ERROR_TEXT, so the following is safe: */
+      buffer[iout] = '\0';
    }
 }
 #endif /* PNG_WARNINGS_SUPPORTED || PNG_ERROR_TEXT_SUPPORTED */