[Png-mng-security] potentially serious memory handling error in libpng

glennrp at comcast.net glennrp at comcast.net
Thu Feb 5 17:28:42 UTC 2009


----- Original Message ----- 
From: "John Bowler" <jbowler at acm.org> 
To: glennrp at comcast.net, "Tavis Ormandy" <taviso at sdf.lonestar.org> 
Cc: png-mng-security at simple.dallas.tx.us 
Sent: Thursday, February 5, 2009 11:37:58 AM GMT -05:00 US/Canada Eastern 
Subject: RE: [Png-mng-security] potentially serious memory handling error in libpng 

From: glennrp at comcast.net 
>In the other hand, we have been getting away with using memset 
>to initialize pointers to zero all along. When we create the png_struct 
>we memset it to zero, and later on we check for read_fn == NULL, etc. 
> 
>So in the case that memset is not safe for this purpose we have a few 
>other bugs to fix. 

An architecture where the NULL pointer is not the bit pattern 0 will fail immediately, so we can be reasonably sure no such architecture is running an unmodified libpng. 

Doesn't this depend only on the C compiler implementation rather than the architecture? 

Memset is *much* safer for this purpose. It's the best way to ensure that every field in the structure is initialized. It's much more of a security risk to rely on the code explicitly initializing every field. 

John Bowler <jbowler at acm.org> 

I would not suggest doing away with memset entirely but rather something like this 

memset (*png_ptr, 0, sizeof(png_ptr)); 
#ifdef PNG_MEMSET_POINTERS_IS_UNSAFE 
png_ptr->read_fn=NULL; 
png_ptr->write_fn=NULL; 
png_ptr->malloc_fn=NULL; 
#endif 

#ifdef PNG_MEMSET_POINTERS_IS_UNSAFE 
for (i=0; i<N; i++) 
pointers[i]=NULL; 
#else 
memset (*pointers, 0, N); 
#endif 

Googling for "memset null pointer" turns up a lot of flame wars and pretty much 
agreement that the NULL pointer does not have to be all zeroes. However, no 
one seems to be able to provide an example. Therefore in the above I would 
leave PNG_MEMSET_POINTERS_IS_UNSAFE undefined by default. 

Glenn 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osuosl.org/pipermail/png-mng-security-archive/attachments/20090205/eb6892b3/attachment.html>


More information about the png-mng-security-archive mailing list