[Png-mng-security] potentially serious memory handling error in libpng
Tavis Ormandy
taviso at sdf.lonestar.org
Wed Feb 4 13:58:53 UTC 2009
On Wed, Feb 04, 2009 at 12:45:57PM +0000, glennrp at comcast.net wrote:
> Rats. I liked the version number 1.2.34 as the final stable version number.
>
> Would this cure the defect?
>
> insert between 1439 and 1440
>
> for (row = 0; row < (int)info_ptr->height; row++)
> info_ptr->row_pointers[row] = NULL;
>
> Oh, never mind, your "memset" solution is more compact.
>
> Glenn
>
> > I'm not sure if you need additional logic to handle 16bit machines, like the
> > unused logic in png_zalloc()?
>
> Dunno. I think my version (explicitly setting the pointers one by one)
> would be immune to pointer-size problems.
>
> Glenn
>
Good point, you're right. This sounds good to me.
Thanks, Tavis.
--
-------------------------------------
taviso at sdf.lonestar.org | finger me for my gpg key.
-------------------------------------------------------
More information about the png-mng-security-archive
mailing list