[Png-mng-security] vulnerability in png_decompress_chunk()

John Bowler jbowler at frontiernet.net
Thu Feb 4 02:06:21 UTC 2010

From: Cosmin Truta
>John, why do you insist so much on breaking the ABI? 

You mean on *not* breaking the ABI.  I.e. why am I so very much against an architecture where so many API additions end up breaking the ABI (because they need additions to png_struct or png_info and, because these structures are exposed, this changes the *ABI* even though the *API* is completely backwards compatible.)

>Just bump the
>minor version number, recompile the software that, anyway, needs
>recompilation, and you're done. Version numbers are free...

If the ABI changes the major version number must be changed, that's what "major" means in this context; that if it does not change the ABI is unchanged.

We're living in a fantasy land.  We assert that additions to *end* of png_struct or png_info aren't ABI changes because we effectively but quietly make it illegal for the user of libpng to declare a png_struct or png_info.  We also deprecate direct access to png_struct or png_info other than the jmpbuf (and, in 1.4, including the jmpbuf).  Despite this some very experienced libpng programmers do directly access the structures because they find the API inadequate: you and either Glenn or Bob (ImageMagick directly accesses 'ping_info', at least in

The rules need to be clearer.  They need to be obeyed by, at the very least, everyone on this list and preferably everyone with voting rights on png-implement.

The entire interface needs to be function based - no tweaking values out of memory.

If we need a set of 'clear' functions in 1.5 that's fine by me.  What I dislike is the idea that we don't make progress on this now.  Better a 1.5.0 that breaks some apps than a 1.5.* that requires a 1.6 the next time we need to add a security related API enhancement.

>In addition, under-the-radar ABI break can be way worse than just
>removing a function. When the API breaks, compiler errors occur, and
>the programmer's intervention (i.e. the fix) is promptly required. But
>when the ABI breaks, bad things usually happen, without anyone
>knowing. Please try to avoid ABI breakage, as a general rule.

I certainly agree with all the above statements.

John Bowler <jbowler at acm.org>

More information about the png-mng-security-archive mailing list