cheng/libpng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[lbpng16] Attempt to fix a UMR in png_set_text_2() to fix OSS-fuzz issue.

Browse Source
This commit is contained in:
Glenn Randers-Pehrson 2017-08-05 20:51:23 -05:00
parent c5c778bcfc
commit 39d84f4f6a
3 changed files with 24 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ANNOUNCE
View File

@ -87,6 +87,8 @@ Version 1.6.32beta11 [August 6, 2017]
Removed unused chunk_name parameter from png_check_chunk_length(). Removed unused chunk_name parameter from png_check_chunk_length().
Relocated setting free_me for eXIf data, to stop an OSS-fuzz leak. Relocated setting free_me for eXIf data, to stop an OSS-fuzz leak.
Initialize profile_header[] in png_handle_iCCP() to fix OSS-fuzz issue. Initialize profile_header[] in png_handle_iCCP() to fix OSS-fuzz issue.
Initialize png_ptr->row_buf[0] to 255 in png_read_row() to fix OSS-fuzz UMR.
Attempt to fix a UMR in png_set_text_2() to fix OSS-fuzz issue.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

2
CHANGES
View File

@ -5970,6 +5970,8 @@ Version 1.6.32beta11 [August 6, 2017]
Removed unused chunk_name parameter from png_check_chunk_length(). Removed unused chunk_name parameter from png_check_chunk_length().
Relocated setting free_me for eXIf data, to stop an OSS-fuzz leak. Relocated setting free_me for eXIf data, to stop an OSS-fuzz leak.
Initialize profile_header[] in png_handle_iCCP() to fix OSS-fuzz issue. Initialize profile_header[] in png_handle_iCCP() to fix OSS-fuzz issue.
Initialize png_ptr->row_buf[0] to 255 in png_read_row() to fix OSS-fuzz UMR.
Attempt to fix a UMR in png_set_text_2() to fix OSS-fuzz issue.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

35
pngrutil.c
View File

@ -2636,23 +2636,28 @@ png_handle_zTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
{ {
png_text text; png_text text;
/* It worked; png_ptr->read_buffer now looks like a tEXt chunk except if (png_ptr->read_buffer == NULL)
* for the extra compression type byte and the fact that it isn't errmsg="Read failure in png_handle_zTXt";
* necessarily '\0' terminated. else
*/ {
buffer = png_ptr->read_buffer; /* It worked; png_ptr->read_buffer now looks like a tEXt chunk
buffer[uncompressed_length+(keyword_length+2)] = 0; * except for the extra compression type byte and the fact that
* it isn't necessarily '\0' terminated.
*/
buffer = png_ptr->read_buffer;
buffer[uncompressed_length+(keyword_length+2)] = 0;
text.compression = PNG_TEXT_COMPRESSION_zTXt; text.compression = PNG_TEXT_COMPRESSION_zTXt;
text.key = (png_charp)buffer; text.key = (png_charp)buffer;
text.text = (png_charp)(buffer + keyword_length+2); text.text = (png_charp)(buffer + keyword_length+2);
text.text_length = uncompressed_length; text.text_length = uncompressed_length;
text.itxt_length = 0; text.itxt_length = 0;
text.lang = NULL; text.lang = NULL;
text.lang_key = NULL; text.lang_key = NULL;
if (png_set_text_2(png_ptr, info_ptr, &text, 1) != 0) if (png_set_text_2(png_ptr, info_ptr, &text, 1) != 0)
errmsg = "insufficient memory"; errmsg = "insufficient memory";
}
} }
else else