cheng/libpng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[devel] Fixed png_handle_sCAL which is broken in 1.5

Browse Source
This commit is contained in:
Glenn Randers-Pehrson 2011-06-10 17:45:48 -05:00
parent ab1a573768
commit 254a513fd1
3 changed files with 17 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ANNOUNCE
View File

@ -1,5 +1,5 @@
Libpng 1.5.3rc03 - June 8, 2011 Libpng 1.5.3rc03 - June 10, 2011
This is not intended to be a public release. It will be replaced This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version. within a few weeks by a public version or by another test version.
@ -154,6 +154,9 @@ Version 1.5.3rc02 [June 8, 2011]
Fixed uninitialized memory read in png_format_buffer() (Bug report by Fixed uninitialized memory read in png_format_buffer() (Bug report by
Frank Busse, related to CVE-2004-0421). Frank Busse, related to CVE-2004-0421).
Version 1.5.3rc03 [June 10, 2011]
Fixed png_handle_sCAL which is broken in 1.5; added sCAL to pngtest.png
Send comments/corrections/commendations to png-mng-implement at lists.sf.net: Send comments/corrections/commendations to png-mng-implement at lists.sf.net:
(subscription required; visit (subscription required; visit
https://lists.sourceforge.net/lists/listinfo/png-mng-implement https://lists.sourceforge.net/lists/listinfo/png-mng-implement

3
CHANGES
View File

@ -3417,6 +3417,9 @@ Version 1.5.3rc02 [June 8, 2011]
Fixed uninitialized memory read in png_format_buffer() (Bug report by Fixed uninitialized memory read in png_format_buffer() (Bug report by
Frank Busse, related to CVE-2004-0421). Frank Busse, related to CVE-2004-0421).
Version 1.5.3rc03 [June 10, 2011]
Fixed png_handle_sCAL which is broken in 1.5; added sCAL to pngtest.png
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit
https://lists.sourceforge.net/lists/listinfo/png-mng-implement https://lists.sourceforge.net/lists/listinfo/png-mng-implement

11
pngrutil.c
View File

@ -1992,6 +1992,14 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
return; return;
} }
/* Need unit type, width, \0, height: minimum 4 bytes */
else if (length < 4)
{
png_warning(png_ptr, "sCAL chunk too short");
png_crc_finish(png_ptr, length);
return;
}
png_debug1(2, "Allocating and reading sCAL chunk data (%u bytes)", png_debug1(2, "Allocating and reading sCAL chunk data (%u bytes)",
length + 1); length + 1);
@ -2027,7 +2035,7 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
/* Validate the ASCII numbers, need two ASCII numbers separated by /* Validate the ASCII numbers, need two ASCII numbers separated by
* a '\0' and they need to fit exactly in the chunk data. * a '\0' and they need to fit exactly in the chunk data.
*/ */
i = 0; i = 1;
state = 0; state = 0;
if (png_ptr->chunkdata[1] == 45 /* negative width */ || if (png_ptr->chunkdata[1] == 45 /* negative width */ ||
@ -2039,6 +2047,7 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
{ {
png_size_t heighti = i; png_size_t heighti = i;
state = 0;
if (png_ptr->chunkdata[i] == 45 /* negative height */ || if (png_ptr->chunkdata[i] == 45 /* negative height */ ||
!png_check_fp_number(png_ptr->chunkdata, slength, &state, &i) || !png_check_fp_number(png_ptr->chunkdata, slength, &state, &i) ||
i != slength) i != slength)