Bug 120508 - CAN-2004-0421 libpng error reporting has out of bounds memory access
CAN-2004-0421 libpng error reporting has out of bounds memory access
Status: CLOSED DUPLICATE of bug 121229
Product: Fedora
Classification: Fedora
Component: libpng (Show other bugs)
rawhide
All Linux
medium Severity high
: ---
: ---
Assigned To: Matthias Clasen
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-04-09 13:04 EDT by Steve Grubb
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-02-21 14:02:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch that fixes the problem (553 bytes, patch)
2004-04-09 13:06 EDT, Steve Grubb
no flags Details | Diff

  None (edit)
Description Steve Grubb 2004-04-09 13:04:54 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.4.2)
Gecko/20040308

Description of problem:
During a code review I found an out of bounds access error in the
pngerror.c file. Line 139 is this:

png_memcpy(buffer+iout, message, 64);

but in pngutil.c we see this:

png_chunk_error(png_ptr, "CRC error");

The upshot is that it will copy 54 bytes past the end of the
error string. This could cause a core dump.

Version-Release number of selected component (if applicable):
libpng-1.2.2-19.1

How reproducible:
Always

Steps to Reproduce:
Found during code review
    

Additional info:

I will attach a patch that measures the message's length and adjusts
the memcpy accordingly.
Comment 1 Steve Grubb 2004-04-09 13:06:38 EDT
Created attachment 99278 [details]
Patch that fixes the problem

Please apply before Fedora Core 2 final.
Comment 2 Matthias Clasen 2004-04-23 10:14:04 EDT

*** This bug has been marked as a duplicate of 121229 ***
Comment 3 Red Hat Bugzilla 2006-02-21 14:02:30 EST
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.