diff options
author | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2017-09-12 08:52:44 -0500 |
---|---|---|
committer | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2017-09-12 08:52:44 -0500 |
commit | 76b269b1f49cec91563711dd508d43c2c2f798d3 (patch) | |
tree | d5895405896af8db79918fb8c141196220712b0b | |
parent | 61d29bfc805e95b8f62cc96b4965092cf4396371 (diff) | |
download | libpng-76b269b1f49cec91563711dd508d43c2c2f798d3.tar.gz |
[libpng16] Attempt to debug Uninitialized Memory Read in png_set_text_2(),
detected by the oss-fuzz project.
-rw-r--r-- | ANNOUNCE | 6 | ||||
-rw-r--r-- | CHANGES | 6 | ||||
-rw-r--r-- | pngset.c | 17 |
3 files changed, 11 insertions, 18 deletions
@@ -45,8 +45,10 @@ Version 1.6.33beta03 [September 12, 2017] (Bug report by "irwir" in Github libpng issue #175). Use pnglibconf.h.prebuilt when building for ANDROID with cmake (Github issue 162, by rcdailey). - Guard against Uninitialized Memory Read in png_check_icc_table(), detected - by the oss-fuzz project. + Guard against Uninitialized Memory Read in png_icc_check_tag_table(), + detected by the oss-fuzz project. + Attempt to debug Uninitialized Memory Read in png_set_text_2(), + detected by the oss-fuzz project. Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit @@ -6015,8 +6015,10 @@ Version 1.6.33beta03 [September 12, 2017] (Bug report by "irwir" in Github libpng issue #175). Use pnglibconf.h.prebuilt when building for ANDROID with cmake (Github issue 162, by rcdailey). - Guard against Uninitialized Memory Read in png_check_icc_table(), detected - by the oss-fuzz project. + Guard against Uninitialized Memory Read in png_icc_check_tag_table(), + detected by the oss-fuzz project. + Attempt to debug Uninitialized Memory Read in png_set_text_2(), + detected by the oss-fuzz project. Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit @@ -886,10 +886,11 @@ png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr, if (text_ptr[i].text == NULL) text_is_null=1; - else if (text_ptr[i].text[0] == '\0') + else if (text_ptr[i].text[0] == '\0') /* FIX THIS */ text_0_is_0=1; - if (text_is_null) + /* oss-fuzz complains of UMR on the reference to text_0_is_0 */ + if (text_is_null || text_0_is_0) { text_length = 0; # ifdef PNG_iTXt_SUPPORTED @@ -900,18 +901,6 @@ png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr, # endif textp->compression = PNG_TEXT_COMPRESSION_NONE; } - else if (text_0_is_0) - { - text_length = 0; -# ifdef PNG_iTXt_SUPPORTED - if (text_ptr[i].compression > 0) - textp->compression = PNG_ITXT_COMPRESSION_NONE; - - else -# endif - textp->compression = PNG_TEXT_COMPRESSION_NONE; - } - else { text_length = strlen(text_ptr[i].text); |