[Png-mng-security] potentially serious memory handling error in libpng

Wed Feb 4 19:25:45 UTC 2009

SECURITY SENSITIVE 

Libpng-1.2.35beta01 addresses this vulnerability along with 
a similar one in the pCAL chunk reader. There's another in 
the code that builds the 16-bit gamma table but I doubt that 
it could be exploited. I fixed it anyway. 

Addressees please note that this message is private and should 
not be immediately reflected to the debian public mailing list like 
last time. Give us 2 weeks to run through the usual beta, rc1 cycle. 

Tavis, please pass this along to the security community. 

Glenn 

----- Original Message ----- 
From: "Tavis Ormandy" <taviso at sdf.lonestar.org> 
To: glennrp at comcast.net 
Cc: scarybeasts at gmail.com, png-mng-security at simple.dallas.tx.us 
Sent: Wednesday, February 4, 2009 8:58:53 AM GMT -05:00 US/Canada Eastern 
Subject: Re: potentially serious memory handling error in libpng 

On Wed, Feb 04, 2009 at 12:45:57PM +0000, glennrp at comcast.net wrote: 
> Rats. I liked the version number 1.2.34 as the final stable version number. 
> 
> Would this cure the defect? 
> 
> insert between 1439 and 1440 
> 
> for (row = 0; row < (int)info_ptr->height; row++) 
> info_ptr->row_pointers[row] = NULL; 
> 
> Oh, never mind, your "memset" solution is more compact. 
> 
> Glenn 
> 
> > I'm not sure if you need additional logic to handle 16bit machines, like the 
> > unused logic in png_zalloc()? 
> 
> Dunno. I think my version (explicitly setting the pointers one by one) 
> would be immune to pointer-size problems. 
> 
> Glenn 
> 

Good point, you're right. This sounds good to me. 

Thanks, Tavis. 

-- 
------------------------------------- 
taviso at sdf.lonestar.org | finger me for my gpg key. 
------------------------------------------------------- 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osuosl.org/pipermail/png-mng-security-archive/attachments/20090204/19d5d6c4/attachment.html>