[Png-mng-security] zTXt incorrect buffer check

Glenn Randers-Pehrson glennrp at comcast.net
Wed Sep 26 00:54:28 UTC 2007


At 12:24 AM 9/26/2007 +0100, Tavis Ormandy wrote:
>Hello again, flayer turned up another bug
>I suppose the correct check should have been text >= chunkdata + slength - 2?

Thanks; I've made this change in libpng-1.2.21rc1.
Since both bugs are pretty useless for attacking browsers
I mentioned them in the change log.

Glenn



More information about the png-mng-security-archive mailing list