Fix for CAN-2004-0421:

Steve Grubb reports a buffer read overrun in libpng's
png_format_buffer function. A specially constructed PNG image
processed by an application using libpng may trigger the buffer
read overrun and possibly result in an application crash.

ok brad@
This commit is contained in:
robert 2004-05-03 05:13:04 +00:00
parent c7f4eb31b7
commit f0431b4d0c
2 changed files with 22 additions and 2 deletions

View File

@ -1,9 +1,9 @@
# $OpenBSD: Makefile,v 1.44 2004/02/24 23:18:57 brad Exp $
# $OpenBSD: Makefile,v 1.45 2004/05/03 05:13:04 robert Exp $
COMMENT= "library for manipulating PNG images"
DISTNAME= libpng-1.2.5
PKGNAME= ${DISTNAME:S/lib//}p2
PKGNAME= ${DISTNAME:S/lib//}p3
CATEGORIES= graphics
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=libpng/}

View File

@ -0,0 +1,20 @@
$OpenBSD: patch-pngerror_c,v 1.1 2004/05/03 05:13:04 robert Exp $
--- pngerror.c.orig Sun May 2 22:47:58 2004
+++ pngerror.c Sun May 2 22:49:36 2004
@@ -135,10 +135,14 @@
buffer[iout] = 0;
else
{
+ int len = strlen(error_message);
+
+ if (len > 64)
+ len = 64;
buffer[iout++] = ':';
buffer[iout++] = ' ';
- png_memcpy(buffer+iout, error_message, 64);
- buffer[iout+63] = 0;
+ png_memcpy(buffer+iout, error_message, len);
+ buffer[iout+len-1] = 0;
}
}