[Png-mng-security] NULL pointer dereferences in pngerror.c
Glenn Randers-Pehrson
glennrp at comcast.net
Sat Nov 11 03:59:24 UTC 2006
png_chunk_warning currently reads:
void PNGAPI
png_chunk_warning(png_structp png_ptr, png_const_charp warning_message)
{
char msg[18+64];
if (png_ptr == NULL)
png_warning(png_ptr, warning_message);
png_format_buffer(png_ptr, msg, warning_message);
png_warning(png_ptr, msg);
}
It checks for the NULL pointer but then after returning from the
png_warning, calls png_format_buffer which makes reference to
a member of the png_ptr struct. Putting the png_format_buffer
inside an "else {}" fixes the problem:
void PNGAPI
png_chunk_warning(png_structp png_ptr, png_const_charp warning_message)
{
char msg[18+64];
if (png_ptr == NULL)
png_warning(png_ptr, warning_message);
else
{
png_format_buffer(png_ptr, msg, warning_message);
png_warning(png_ptr, msg);
}
}
The bug report says that png_chunk_error has the same problem, but
that's innocuous since png_error() doesn't return. We might as well
use an else{} there as well, though, so coverity doesn't get misled.
Glenn
More information about the png-mng-security-archive
mailing list