[Png-mng-security] zTXt incorrect buffer check
Glenn Randers-Pehrson
glennrp at comcast.net
Wed Sep 26 00:54:28 UTC 2007
At 12:24 AM 9/26/2007 +0100, Tavis Ormandy wrote:
>Hello again, flayer turned up another bug
>I suppose the correct check should have been text >= chunkdata + slength - 2?
Thanks; I've made this change in libpng-1.2.21rc1.
Since both bugs are pretty useless for attacking browsers
I mentioned them in the change log.
Glenn
More information about the png-mng-security-archive
mailing list