[Png-mng-security] Potential denial of service attack in lcms-1.17

John Bowler jbowler at acm.org
Tue Nov 25 05:19:12 UTC 2008


From: glennrp at comcast.net [mailto:glennrp at comcast.net] 
>Just-released libpng-1.4.0beta40 rejects cHRM input with white_y <= 0.
>Are you sure we should not also test white_x?

For the benefit of anyone not on png-mng-implement, here is the basic
arithmetic that requires the white_y test but not the corresponding test on
white_x:

white_Y = 1.0 (given)
white_y = white_Y/(white_X + white_Y + white_Z)
	= 1.0/(white_X + 1.0 + white_Z)

Therefore white_y cannot be 0 (white_X and white_Z are assumed to be
finite.)

white_x = white_X/(white_X + white_Y + white_Z)
	= white_X/(white_X + 1.0 + white_Z)

white_x therefore can be zero if white_X is zero.  white_X is not itself
constrained to be non-zero (even though zero is a very suspicious value.)

John Bowler <jbowler at acm.org>





More information about the png-mng-security-archive mailing list