[Png-mng-security] potentially serious memory handling error in libpng

glennrp at comcast.net glennrp at comcast.net
Thu Feb 5 15:03:52 UTC 2009


----- Original Message ----- 
From: "Tavis Ormandy" <taviso at sdf.lonestar.org> 
To: glennrp at comcast.net 
Cc: scarybeasts at gmail.com, png-mng-security at simple.dallas.tx.us 
Sent: Wednesday, February 4, 2009 8:58:53 AM GMT -05:00 US/Canada Eastern 
Subject: Re: potentially serious memory handling error in libpng 

On Wed, Feb 04, 2009 at 12:45:57PM +0000, glennrp at comcast.net wrote: 
> Rats. I liked the version number 1.2.34 as the final stable version number. 
> 
> Would this cure the defect? 
> 
> insert between 1439 and 1440 
> 
> for (row = 0; row < (int)info_ptr->height; row++) 
> info_ptr->row_pointers[row] = NULL; 
> 
> Oh, never mind, your "memset" solution is more compact. 
> 
> Glenn 
> 
> > I'm not sure if you need additional logic to handle 16bit machines, like the 
> > unused logic in png_zalloc()? 
> 
> Dunno. I think my version (explicitly setting the pointers one by one) 
> would be immune to pointer-size problems. 
> 
> Glenn 
> 

Good point, you're right. This sounds good to me. 

Thanks, Tavis. 

In the other hand, we have been getting away with using memset 
to initialize pointers to zero all along. When we create the png_struct 
we memset it to zero, and later on we check for read_fn == NULL, etc. 

So in the case that memset is not safe for this purpose we have a few 
other bugs to fix. 

For now let's just assume it's safe and start another bug on the open 
png-mng-implement list about memset safety. 

Glenn 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osuosl.org/pipermail/png-mng-security-archive/attachments/20090205/fdc01b7c/attachment.html>


More information about the png-mng-security-archive mailing list