[Png-mng-security] potentially serious memory handling error in libpng
glennrp at comcast.net
glennrp at comcast.net
Wed Feb 4 19:25:45 UTC 2009
SECURITY SENSITIVE
Libpng-1.2.35beta01 addresses this vulnerability along with
a similar one in the pCAL chunk reader. There's another in
the code that builds the 16-bit gamma table but I doubt that
it could be exploited. I fixed it anyway.
Addressees please note that this message is private and should
not be immediately reflected to the debian public mailing list like
last time. Give us 2 weeks to run through the usual beta, rc1 cycle.
Tavis, please pass this along to the security community.
Glenn
----- Original Message -----
From: "Tavis Ormandy" <taviso at sdf.lonestar.org>
To: glennrp at comcast.net
Cc: scarybeasts at gmail.com, png-mng-security at simple.dallas.tx.us
Sent: Wednesday, February 4, 2009 8:58:53 AM GMT -05:00 US/Canada Eastern
Subject: Re: potentially serious memory handling error in libpng
On Wed, Feb 04, 2009 at 12:45:57PM +0000, glennrp at comcast.net wrote:
> Rats. I liked the version number 1.2.34 as the final stable version number.
>
> Would this cure the defect?
>
> insert between 1439 and 1440
>
> for (row = 0; row < (int)info_ptr->height; row++)
> info_ptr->row_pointers[row] = NULL;
>
> Oh, never mind, your "memset" solution is more compact.
>
> Glenn
>
> > I'm not sure if you need additional logic to handle 16bit machines, like the
> > unused logic in png_zalloc()?
>
> Dunno. I think my version (explicitly setting the pointers one by one)
> would be immune to pointer-size problems.
>
> Glenn
>
Good point, you're right. This sounds good to me.
Thanks, Tavis.
--
-------------------------------------
taviso at sdf.lonestar.org | finger me for my gpg key.
-------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osuosl.org/pipermail/png-mng-security-archive/attachments/20090204/19d5d6c4/attachment.html>
More information about the png-mng-security-archive
mailing list