[Png-mng-security] libpng-1.2.35beta03

John Bowler jbowler at acm.org
Fri Feb 6 17:26:02 UTC 2009


From: glennrp at comcast.net
> I've posted libpng-1.2.35beta03 at
> http://www.simplesystems.org/users/glennrp/sbo/lp1235b03
> It uses png_memset() to initialize the pointer arrays.

>From: "Greg Roelofs"
>>...earlier ... pseudocode had an incorrect memset()
>>size (missing sizeof()).

I checked the diff:
http://www.simplesystems.org/users/glennrp/sbo/lp1235b03/libpng-1.2.35beta03
-1.2.34-diff.txt
It seems fine.

That's the downside to using the "sizeof" operator.  It's very hard to
maintain code of the form:

 png_ptr->gamma_16_to_1 = (png_uint_16pp)png_malloc(png_ptr,
            (png_uint_32)(num * png_sizeof(png_uint_16p )));
 
 png_memset(png_ptr->gamma_16_to_1, 0, num * png_sizeof(png_uint_16p));

The problem is ensuring that the size calculation: "num *
png_sizeof(png_uint_16p)" remains the same in both cases as the code is
edited.

An improvement would be to create and use either "png_zalloc" (like malloc
but zeros the result) or png_calloc (takes a count like calloc and zeros the
result.)  Then all the allocated memory would be guaranteed to be set to
zero.

My personal opinion is that code that has security requirements should
*never* use malloc for data structures.  Of course libpng should use malloc
for line buffers, because there are performance implications when bytes of
line buffers are touched, but line buffers of garbage can be handled
correctly by libpng.

John Bowler <jbowler at acm.org>





More information about the png-mng-security-archive mailing list