[libpng15] Fixed a relatively harmless memory overwrite

in compressed text writing
This commit is contained in:
John Bowler 2011-10-14 12:33:52 -05:00 committed by Glenn Randers-Pehrson
parent d58251b47e
commit 5c1905caae
3 changed files with 8 additions and 1 deletions

View File

@ -72,6 +72,8 @@ Version 1.5.6beta05 [October 12, 2011]
Version 1.5.6beta06 [October 14, 2011] Version 1.5.6beta06 [October 14, 2011]
Removed two redundant tests for unitialized row. Removed two redundant tests for unitialized row.
Fixed a relatively harmless memory overwrite in compressed text writing
with a 1 byte zlib buffer.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net: Send comments/corrections/commendations to png-mng-implement at lists.sf.net:
(subscription required; visit (subscription required; visit

View File

@ -3633,6 +3633,8 @@ Version 1.5.6beta05 [October 12, 2011]
Version 1.5.6beta06 [October 14, 2011] Version 1.5.6beta06 [October 14, 2011]
Removed two redundant tests for unitialized row. Removed two redundant tests for unitialized row.
Fixed a relatively harmless memory overwrite in compressed text writing
with a 1 byte zlib buffer.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

View File

@ -582,7 +582,10 @@ png_write_compressed_data_out(png_structp png_ptr, compression_state *comp)
} }
#ifdef PNG_WRITE_OPTIMIZE_CMF_SUPPORTED #ifdef PNG_WRITE_OPTIMIZE_CMF_SUPPORTED
if (comp->input_len >= 2 && comp->input_len < 16384) /* The zbuf_size test is because the code below doesn't work if zbuf_size is
* '1'; simply skip it to avoid memory overwrite.
*/
if (comp->input_len >= 2 && comp->input_len < 16384 && png_ptr->zbuf_size > 1)
{ {
unsigned int z_cmf; /* zlib compression method and flags */ unsigned int z_cmf; /* zlib compression method and flags */