[Png-mng-security] vulnerability in png_decompress_chunk()

Cosmin Truta ctruta at gmail.com
Fri Feb 5 02:29:41 UTC 2010

John wrote:
>> If the ABI changes the major version number must be changed, that's what "major" means in this context; that if it does not change the ABI is unchanged.

Glenn wrote:
>     Just to be precise, it is the minor version number that gets
>     bumped when the ABI changes.  1.0.x, 1.2.x, 1.4.x are "minor
>     versions".  I guess the leading "1." is just a decoration for
>     now, but when we make a libpng that looks really different
>     from 1.x.x, we'll call it 2.0.0.  I think making the
>     png_struct opaque probably falls in that category, although
>     we do seem to be sneaking up on that via the PNGDEPSTRUCT
>     thing.

I agree with this analysis. It's one thing when PNG_DEPSTRUCT nags you
not to do it in libpng 1.x, but it's a different thing when you cannot
do it in libpng 2.0.

I wrote:
>> Well, adding things at the end of png_struct/png_info, almost at every
>> new libpng release,

Glenn wrote:
>     For the hundredth time, please don't exaggerate.  We added
>     new members five times in the 1.2.x series and once (proposed)
>     so far in 1.4.x.

I apologize, please don't mind me... (and the same goes to John...) I
tend to read fragments of discussions (as opposed to entire
discussions) more often recently, although I should try harder to
abstain from posting thoughts when I cannot read the full discussion
In my head, I'm hooked on the issue of having too many configuration
macros, and because of that (to me) everything seems too complex in
libpng, although there has been some really nice improvement from 1.2
to 1.4.
Ok, I'll stop digressing.

John wrote:
>> If we need a set of 'clear' functions in 1.5 that's fine by me.  What I dislike is the idea that we don't make progress on this now.

Glenn wrote:
>       Is "png_set_invalid()" not sufficient?  That's been in the
>       library
>       since 1.0.7.  Maybe using it would cause memory leakage but
>       that could be fixed without changing the ABI/API.

Whoa, I had no idea it ever existed, when in fact it has been under my
nose all that time!!
Ok, I'll go back to my optipng-0.7 alpha and see how I can use this
old but new-for-me function.

Best regards,

More information about the png-mng-security-archive mailing list