[Png-mng-security] potentially serious memory handling error in libpng

Tavis Ormandy taviso at sdf.lonestar.org
Wed Feb 4 13:58:53 UTC 2009


On Wed, Feb 04, 2009 at 12:45:57PM +0000, glennrp at comcast.net wrote:
> Rats. I liked the version number 1.2.34 as the final stable version number. 
> 
> Would this cure the defect? 
> 
> insert between 1439 and 1440 
> 
> for (row = 0; row < (int)info_ptr->height; row++) 
> info_ptr->row_pointers[row] = NULL; 
> 
> Oh, never mind, your "memset" solution is more compact. 
> 
> Glenn 
> 
> > I'm not sure if you need additional logic to handle 16bit machines, like the 
> > unused logic in png_zalloc()? 
> 
> Dunno. I think my version (explicitly setting the pointers one by one) 
> would be immune to pointer-size problems. 
> 
> Glenn 
> 

Good point, you're right. This sounds good to me.

Thanks, Tavis.


-- 
-------------------------------------
taviso at sdf.lonestar.org | finger me for my gpg key.
-------------------------------------------------------



More information about the png-mng-security-archive mailing list