[Png-mng-security] zTXt incorrect buffer check
Glenn Randers-Pehrson
glennrp at comcast.net
Wed Sep 26 14:19:07 UTC 2007
At 01:44 AM 9/26/2007 +0100, Tavis Ormandy wrote:
>On Wed, Sep 26, 2007 at 12:24:24AM +0100, Tavis Ormandy wrote:
>> ...
>
>Just a note, pretty much exactly the same thing is possible in
>png_handle_sCAL
>
>Thanks, Tavis.
There seems to be the same situation in iTXt as well (iTXt might
be ifdef'ed out of the version you are testing). It has three of
those empty loops but only checks two of them for overflow.
Glenn
More information about the png-mng-security-archive
mailing list