[Png-mng-security] NULL pointer dereferences in pngerror.c

Glenn Randers-Pehrson glennrp at comcast.net
Sat Nov 11 03:59:24 UTC 2006


png_chunk_warning currently reads:

void PNGAPI
png_chunk_warning(png_structp png_ptr, png_const_charp warning_message)
{
   char msg[18+64];
   if (png_ptr == NULL)
     png_warning(png_ptr, warning_message);
   png_format_buffer(png_ptr, msg, warning_message);
   png_warning(png_ptr, msg);
}

It checks for the NULL pointer but then after returning from the
png_warning, calls png_format_buffer which makes reference to
a member of the png_ptr struct.  Putting the png_format_buffer
inside an "else {}" fixes the problem:

void PNGAPI
png_chunk_warning(png_structp png_ptr, png_const_charp warning_message)
{
   char msg[18+64];
   if (png_ptr == NULL)
     png_warning(png_ptr, warning_message);
   else
   {
     png_format_buffer(png_ptr, msg, warning_message);
     png_warning(png_ptr, msg);
   }
}

The bug report says that png_chunk_error has the same problem, but
that's innocuous since png_error() doesn't return.  We might as well
use an else{} there as well, though, so coverity doesn't get misled.

Glenn



More information about the png-mng-security-archive mailing list