cheng/libpng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[libpng16] Attempt to debug Uninitialized Memory Read in png_set_text_2(),

Browse Source 
detected by the oss-fuzz project.
This commit is contained in:
Glenn Randers-Pehrson 2017-09-12 08:52:44 -05:00
parent 61d29bfc80
commit 76b269b1f4
3 changed files with 11 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ANNOUNCE
View File

@ -45,8 +45,10 @@ Version 1.6.33beta03 [September 12, 2017]
(Bug report by "irwir" in Github libpng issue #175). (Bug report by "irwir" in Github libpng issue #175).
Use pnglibconf.h.prebuilt when building for ANDROID with cmake (Github Use pnglibconf.h.prebuilt when building for ANDROID with cmake (Github
issue 162, by rcdailey). issue 162, by rcdailey).
Guard against Uninitialized Memory Read in png_check_icc_table(), detected Guard against Uninitialized Memory Read in png_icc_check_tag_table(),
by the oss-fuzz project. detected by the oss-fuzz project.
Attempt to debug Uninitialized Memory Read in png_set_text_2(),
detected by the oss-fuzz project.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

6
CHANGES
View File

@ -6015,8 +6015,10 @@ Version 1.6.33beta03 [September 12, 2017]
(Bug report by "irwir" in Github libpng issue #175). (Bug report by "irwir" in Github libpng issue #175).
Use pnglibconf.h.prebuilt when building for ANDROID with cmake (Github Use pnglibconf.h.prebuilt when building for ANDROID with cmake (Github
issue 162, by rcdailey). issue 162, by rcdailey).
Guard against Uninitialized Memory Read in png_check_icc_table(), detected Guard against Uninitialized Memory Read in png_icc_check_tag_table(),
by the oss-fuzz project. detected by the oss-fuzz project.
Attempt to debug Uninitialized Memory Read in png_set_text_2(),
detected by the oss-fuzz project.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

17
pngset.c
View File

@ -886,10 +886,11 @@ png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr,
if (text_ptr[i].text == NULL) if (text_ptr[i].text == NULL)
text_is_null=1; text_is_null=1;
else if (text_ptr[i].text[0] == '\0') else if (text_ptr[i].text[0] == '\0') /* FIX THIS */
text_0_is_0=1; text_0_is_0=1;
if (text_is_null) /* oss-fuzz complains of UMR on the reference to text_0_is_0 */
if (text_is_null || text_0_is_0)
{ {
text_length = 0; text_length = 0;
# ifdef PNG_iTXt_SUPPORTED # ifdef PNG_iTXt_SUPPORTED
@ -900,18 +901,6 @@ png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr,
# endif # endif
textp->compression = PNG_TEXT_COMPRESSION_NONE; textp->compression = PNG_TEXT_COMPRESSION_NONE;
} }
else if (text_0_is_0)
{
text_length = 0;
# ifdef PNG_iTXt_SUPPORTED
if (text_ptr[i].compression > 0)
textp->compression = PNG_ITXT_COMPRESSION_NONE;
else
# endif
textp->compression = PNG_TEXT_COMPRESSION_NONE;
}
else else
{ {
text_length = strlen(text_ptr[i].text); text_length = strlen(text_ptr[i].text);