[Png-mng-security] Potential denial of service attack in lcms-1.17

glennrp at comcast.net glennrp at comcast.net
Tue Nov 25 01:11:58 UTC 2008


 -------------- Original message ----------------------
From: "John Bowler" <jbowler at acm.org>
> By code examination if lcms-1.17...
> Fix is to test for white y of zero and fail in the relevant APIs (return
> false.)

Should the fix go in lcms?  We can (will) fix libpng as well.  I can
take care of fixing mozilla's copy of lcms.

I got no answer to our prior bug report to the lcms mailing list
nor to a private email to the lcms author.

Would you send me an apropriately tweaked small PNG file?

Glenn



More information about the png-mng-security-archive mailing list