[Png-mng-security] potentially serious memory handling error in libpng
glennrp at comcast.net
glennrp at comcast.net
Thu Feb 5 15:03:52 UTC 2009
----- Original Message -----
From: "Tavis Ormandy" <taviso at sdf.lonestar.org>
To: glennrp at comcast.net
Cc: scarybeasts at gmail.com, png-mng-security at simple.dallas.tx.us
Sent: Wednesday, February 4, 2009 8:58:53 AM GMT -05:00 US/Canada Eastern
Subject: Re: potentially serious memory handling error in libpng
On Wed, Feb 04, 2009 at 12:45:57PM +0000, glennrp at comcast.net wrote:
> Rats. I liked the version number 1.2.34 as the final stable version number.
>
> Would this cure the defect?
>
> insert between 1439 and 1440
>
> for (row = 0; row < (int)info_ptr->height; row++)
> info_ptr->row_pointers[row] = NULL;
>
> Oh, never mind, your "memset" solution is more compact.
>
> Glenn
>
> > I'm not sure if you need additional logic to handle 16bit machines, like the
> > unused logic in png_zalloc()?
>
> Dunno. I think my version (explicitly setting the pointers one by one)
> would be immune to pointer-size problems.
>
> Glenn
>
Good point, you're right. This sounds good to me.
Thanks, Tavis.
In the other hand, we have been getting away with using memset
to initialize pointers to zero all along. When we create the png_struct
we memset it to zero, and later on we check for read_fn == NULL, etc.
So in the case that memset is not safe for this purpose we have a few
other bugs to fix.
For now let's just assume it's safe and start another bug on the open
png-mng-implement list about memset safety.
Glenn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osuosl.org/pipermail/png-mng-security-archive/attachments/20090205/fdc01b7c/attachment.html>
More information about the png-mng-security-archive
mailing list