[Png-mng-security] vulnerability in png_decompress_chunk()

John Bowler jbowler at frontiernet.net
Thu Feb 4 02:06:21 UTC 2010


From: Cosmin Truta
>John, why do you insist so much on breaking the ABI? 

You mean on *not* breaking the ABI.  I.e. why am I so very much against an architecture where so many API additions end up breaking the ABI (because they need additions to png_struct or png_info and, because these structures are exposed, this changes the *ABI* even though the *API* is completely backwards compatible.)

>Just bump the
>minor version number, recompile the software that, anyway, needs
>recompilation, and you're done. Version numbers are free...

If the ABI changes the major version number must be changed, that's what "major" means in this context; that if it does not change the ABI is unchanged.

We're living in a fantasy land.  We assert that additions to *end* of png_struct or png_info aren't ABI changes because we effectively but quietly make it illegal for the user of libpng to declare a png_struct or png_info.  We also deprecate direct access to png_struct or png_info other than the jmpbuf (and, in 1.4, including the jmpbuf).  Despite this some very experienced libpng programmers do directly access the structures because they find the API inadequate: you and either Glenn or Bob (ImageMagick directly accesses 'ping_info', at least in 6.5.2.9).

The rules need to be clearer.  They need to be obeyed by, at the very least, everyone on this list and preferably everyone with voting rights on png-implement.

The entire interface needs to be function based - no tweaking values out of memory.

If we need a set of 'clear' functions in 1.5 that's fine by me.  What I dislike is the idea that we don't make progress on this now.  Better a 1.5.0 that breaks some apps than a 1.5.* that requires a 1.6 the next time we need to add a security related API enhancement.

>In addition, under-the-radar ABI break can be way worse than just
>removing a function. When the API breaks, compiler errors occur, and
>the programmer's intervention (i.e. the fix) is promptly required. But
>when the ABI breaks, bad things usually happen, without anyone
>knowing. Please try to avoid ABI breakage, as a general rule.

I certainly agree with all the above statements.

John Bowler <jbowler at acm.org>






More information about the png-mng-security-archive mailing list