[libpng16] Attempt to debug Uninitialized Memory Read in png_set_text_2(),

detected by the oss-fuzz project.
author: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> 2017-09-12 08:52:44 -0500
committer: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> 2017-09-12 08:52:44 -0500
commit: 76b269b1f49cec91563711dd508d43c2c2f798d3 (patch)
tree: d5895405896af8db79918fb8c141196220712b0b
parent: 61d29bfc805e95b8f62cc96b4965092cf4396371 (diff)
download: libpng-76b269b1f49cec91563711dd508d43c2c2f798d3.tar.gz
3 files changed, 11 insertions, 18 deletions
diff --git a/ANNOUNCE b/ANNOUNCE
index b943a5d12..469812dde 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -45,8 +45,10 @@ Version 1.6.33beta03 [September 12, 2017]
     (Bug report by "irwir" in Github libpng issue #175).
   Use pnglibconf.h.prebuilt when building for ANDROID with cmake (Github
     issue 162, by rcdailey).
-  Guard against Uninitialized Memory Read in png_check_icc_table(), detected
-    by the oss-fuzz project.
+  Guard against Uninitialized Memory Read in png_icc_check_tag_table(),
+    detected by the oss-fuzz project.
+  Attempt to debug Uninitialized Memory Read in png_set_text_2(),
+    detected by the oss-fuzz project.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/CHANGES b/CHANGES
index 95e4441ef..68aa471b7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6015,8 +6015,10 @@ Version 1.6.33beta03 [September 12, 2017]
     (Bug report by "irwir" in Github libpng issue #175).
   Use pnglibconf.h.prebuilt when building for ANDROID with cmake (Github
     issue 162, by rcdailey).
-  Guard against Uninitialized Memory Read in png_check_icc_table(), detected
-    by the oss-fuzz project.
+  Guard against Uninitialized Memory Read in png_icc_check_tag_table(),
+    detected by the oss-fuzz project.
+  Attempt to debug Uninitialized Memory Read in png_set_text_2(),
+    detected by the oss-fuzz project.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/pngset.c b/pngset.c
index d5e683ba1..7498b6764 100644
--- a/pngset.c
+++ b/pngset.c
@@ -886,10 +886,11 @@ png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr,
 
       if (text_ptr[i].text == NULL)
          text_is_null=1;
-      else if (text_ptr[i].text[0] == '\0')
+      else if (text_ptr[i].text[0] == '\0') /* FIX THIS */
          text_0_is_0=1;
 
-      if (text_is_null)
+      /* oss-fuzz complains of UMR on the reference to text_0_is_0 */
+      if (text_is_null || text_0_is_0)
       {
          text_length = 0;
 #  ifdef PNG_iTXt_SUPPORTED
@@ -900,18 +901,6 @@ png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr,
 #  endif
             textp->compression = PNG_TEXT_COMPRESSION_NONE;
       }
-      else if (text_0_is_0)
-      {
-         text_length = 0;
-#  ifdef PNG_iTXt_SUPPORTED
-         if (text_ptr[i].compression > 0)
-            textp->compression = PNG_ITXT_COMPRESSION_NONE;
-
-         else
-#  endif
-            textp->compression = PNG_TEXT_COMPRESSION_NONE;
-      }
-
       else
       {
          text_length = strlen(text_ptr[i].text);
author	Glenn Randers-Pehrson <glennrp at users.sourceforge.net>	2017-09-12 08:52:44 -0500
committer	Glenn Randers-Pehrson <glennrp at users.sourceforge.net>	2017-09-12 08:52:44 -0500
commit	76b269b1f49cec91563711dd508d43c2c2f798d3 (patch)
tree	d5895405896af8db79918fb8c141196220712b0b
parent	61d29bfc805e95b8f62cc96b4965092cf4396371 (diff)
download	libpng-76b269b1f49cec91563711dd508d43c2c2f798d3.tar.gz