[Png-mng-security] Potential denial of service attack in lcms-1.17
John Bowler
jbowler at acm.org
Tue Nov 25 05:19:12 UTC 2008
From: glennrp at comcast.net [mailto:glennrp at comcast.net]
>Just-released libpng-1.4.0beta40 rejects cHRM input with white_y <= 0.
>Are you sure we should not also test white_x?
For the benefit of anyone not on png-mng-implement, here is the basic
arithmetic that requires the white_y test but not the corresponding test on
white_x:
white_Y = 1.0 (given)
white_y = white_Y/(white_X + white_Y + white_Z)
= 1.0/(white_X + 1.0 + white_Z)
Therefore white_y cannot be 0 (white_X and white_Z are assumed to be
finite.)
white_x = white_X/(white_X + white_Y + white_Z)
= white_X/(white_X + 1.0 + white_Z)
white_x therefore can be zero if white_X is zero. white_X is not itself
constrained to be non-zero (even though zero is a very suspicious value.)
John Bowler <jbowler at acm.org>
More information about the png-mng-security-archive
mailing list