[Png-mng-security] pCAL reading past buffer end
Glenn Randers-Pehrson
glennrp at comcast.net
Sat Sep 22 11:51:25 UTC 2007
At 04:58 AM 9/22/2007 +0100, Tavis Ormandy wrote:
>Hey Glenn/Greg/Pngers,
>
>I think this loop condition from png_handle_pCAL() is in the wrong
>order, as if buf > endptr, it will still be dereferenced to check for '\0'.
>
> png_debug1(3, "Reading pCAL parameter %d\n", i);
> for (params[i] = buf; *buf != 0x00 && buf <= endptr; buf++)
> /* Empty loop to move past each parameter string */ ;
>
>Obviously this is pretty minor, but in the unlikely case that buf ends on a
>page boundary, this could cause a crash. Just switching it should solve the
>proble, ie buf <= endptr && *buf != 0x00.
>
>This bug was found with flayer, http://code.google.com/p/flayer/
Thanks. I'll make the change in libpng-1.2.21rc1, due out on Monday
September 25th. BTW gecko implementations (firefox, mozilla, etc.) are
immune to this problem because pCAL processing is not enabled.
Glenn
More information about the png-mng-security-archive
mailing list