[Png-mng-security] png_set_unknown_chunks doesnt handle bad zero-length unknown chunks?
Tavis Ormandy
taviso at sdf.lonestar.org
Sat Apr 5 18:00:41 UTC 2008
Hey Glenn, Greg and other png gurus,
I've run into a case where png_set_unknown_chunks() seems to run into
uninitialized memory when copying zero-length bad unknown chunks, this
seems to happen even with the pngtest program (i'm not sure how good an
indication that is of good api usage?), but it also affected my program.
I'm not 100% confident this is a libpng bug, i may have just
misinterpreted the documentation, but if thats the case then i suppose
im reporting a bug in pngtest :-)
Testcase attached.
Thanks, Tavis.
--
-------------------------------------
taviso at sdf.lonestar.org | finger me for my gpg key.
-------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 9c48e9ef12cc4d75fd89133f51f94af7.png
Type: image/png
Size: 57335 bytes
Desc: not available
URL: <http://lists.osuosl.org/pipermail/png-mng-security-archive/attachments/20080405/c6adf967/attachment.png>
More information about the png-mng-security-archive
mailing list