diff options
author | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2017-09-15 08:20:23 -0500 |
---|---|---|
committer | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2017-09-15 08:20:23 -0500 |
commit | d1a0937caee54a4d847088cae913b24f57e6877a (patch) | |
tree | 64e1423dab0eb9eebfe5fb71b03ec61c655e1bc5 | |
parent | 1c98b8588624c6be62186e5c7ad138f922832413 (diff) | |
download | libpng-d1a0937caee54a4d847088cae913b24f57e6877a.tar.gz |
[libpng16] Still another attempt to fix oss-fuzz uninitialized value
-rw-r--r-- | png.c | 11 | ||||
-rw-r--r-- | pngset.c | 2 |
2 files changed, 8 insertions, 5 deletions
@@ -2208,15 +2208,18 @@ png_icc_check_tag_table(png_const_structrp png_ptr, png_colorspacerp colorspace, png_uint_32 tag_count = png_get_uint_32(profile+128); png_uint_32 itag; png_const_bytep tag = profile+132; /* The first tag */ + png_uint_32 tag_start = 0; + png_uint_32 tag_id = 0; + png_uint_32 tag_length = 0; /* First scan all the tags in the table and add bits to the icc_info value * (temporarily in 'tags'). */ for (itag=0; itag < tag_count; ++itag, tag += 12) { - png_uint_32 tag_id = png_get_uint_32(tag+0); - png_uint_32 tag_start = png_get_uint_32(tag+4); /* must be aligned */ - png_uint_32 tag_length = png_get_uint_32(tag+8);/* not padded */ + tag_id = png_get_uint_32(tag+0); + tag_length = png_get_uint_32(tag+8);/* not padded */ + tag_start = png_get_uint_32(tag+4); /* must be aligned */ /* The ICC specification does not exclude zero length tags, therefore the * start might actually be anywhere if there is no data, but this would be @@ -2226,7 +2229,7 @@ png_icc_check_tag_table(png_const_structrp png_ptr, png_colorspacerp colorspace, */ /* This is a hard error; potentially it can cause read outside the - * profile. Oss-fuzz detects a potential UMR in tag_start reference. + * profile. */ if (tag_start > profile_length || tag_length > profile_length - tag_start) return png_icc_profile_error(png_ptr, colorspace, name, tag_id, @@ -881,7 +881,7 @@ png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr, } # endif - /* oss-fuzz detects a potential UMR here */ + /* oss-fuzz detects potential use of uninitialized value here */ if (text_ptr[i].text == NULL || text_ptr[i].text[0] == '\0') { text_length = 0; |