diff options
| author |   Ned Ludd <solar@gentoo.org> | 2004-05-09 06:32:23 +0000 |
|---|---|---|
| committer | Ned Ludd <solar@gentoo.org> | 2004-05-09 06:32:23 +0000 |
| commit | b0b7de5b009dd759313b4234f16146218f14ab58 (patch) | |
| tree | 9a0f42f81f2a33af53971d51ea12b3d6e27bd15e /media-libs/libpng/files/libpng-1.0.15-gentoo.diff | |
| parent | (no commit message) (diff) | |
| download | historical-b0b7de5b009dd759313b4234f16146218f14ab58.tar.gz historical-b0b7de5b009dd759313b4234f16146218f14ab58.tar.bz2 historical-b0b7de5b009dd759313b4234f16146218f14ab58.zip | |
The library provides 2 calls png_chunk_error and png_chunk_warning for default error and warning messages handling. Inside the code a fixed size buffer is used and 64 bytes are used to store the caller supplied message. But there are no bounds checking and this limitation is not documented. Programs linked against libpng may crash or even execute arbitrary code if the caller message is dependent on external inputs. Bugzilla bug #49887
Diffstat (limited to 'media-libs/libpng/files/libpng-1.0.15-gentoo.diff')
| -rw-r--r-- | media-libs/libpng/files/libpng-1.0.15-gentoo.diff | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/media-libs/libpng/files/libpng-1.0.15-gentoo.diff b/media-libs/libpng/files/libpng-1.0.15-gentoo.diff index 60604a458a5e..5a375bfeabc3 100644 --- a/media-libs/libpng/files/libpng-1.0.15-gentoo.diff +++ b/media-libs/libpng/files/libpng-1.0.15-gentoo.diff @@ -42,3 +42,19 @@ diff -urN libpng-1.0.15-old/pngrtran.c libpng-1.0.15/pngrtran.c for (i = 0; i < row_width; i++) { *(--dp) = *(--sp); +--- libpng-1.0.15-old/pngerror.c 2002-10-03 05:32:27.000000000 -0600 ++++ libpng-1.0.15/pngerror.c 2004-04-29 09:26:18.000000000 -0600 +@@ -135,10 +135,12 @@ + buffer[iout] = 0; + else + { ++ png_size_t len = strnlen(error_message, 63); ++ + buffer[iout++] = ':'; + buffer[iout++] = ' '; +- png_memcpy(buffer+iout, error_message, 64); +- buffer[iout+63] = 0; ++ png_memcpy(buffer+iout, error_message, len); ++ buffer[iout+len] = 0; + } + } |