diff --git a/ANNOUNCE b/ANNOUNCE index 837992f7f..909036e5b 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -72,6 +72,8 @@ Version 1.5.6beta05 [October 12, 2011] Version 1.5.6beta06 [October 14, 2011] Removed two redundant tests for unitialized row. + Fixed a relatively harmless memory overwrite in compressed text writing + with a 1 byte zlib buffer. Send comments/corrections/commendations to png-mng-implement at lists.sf.net: (subscription required; visit diff --git a/CHANGES b/CHANGES index 70a5768d1..7c414c00a 100644 --- a/CHANGES +++ b/CHANGES @@ -3633,6 +3633,8 @@ Version 1.5.6beta05 [October 12, 2011] Version 1.5.6beta06 [October 14, 2011] Removed two redundant tests for unitialized row. + Fixed a relatively harmless memory overwrite in compressed text writing + with a 1 byte zlib buffer. Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/pngwutil.c b/pngwutil.c index 2554d51ec..e4087c43b 100644 --- a/pngwutil.c +++ b/pngwutil.c @@ -582,7 +582,10 @@ png_write_compressed_data_out(png_structp png_ptr, compression_state *comp) } #ifdef PNG_WRITE_OPTIMIZE_CMF_SUPPORTED - if (comp->input_len >= 2 && comp->input_len < 16384) + /* The zbuf_size test is because the code below doesn't work if zbuf_size is + * '1'; simply skip it to avoid memory overwrite. + */ + if (comp->input_len >= 2 && comp->input_len < 16384 && png_ptr->zbuf_size > 1) { unsigned int z_cmf; /* zlib compression method and flags */