Bug 120508 - CAN-2004-0421 libpng error reporting has out of bounds memory access
Summary: CAN-2004-0421 libpng error reporting has out of bounds memory access
Keywords:
Status: CLOSED DUPLICATE of bug 121229
Alias: None
Product: Fedora
Classification: Fedora
Component: libpng
Version: rawhide
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: Matthias Clasen
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-04-09 17:04 UTC by Steve Grubb
Modified: 2007-11-30 22:10 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2006-02-21 19:02:30 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
Patch that fixes the problem (553 bytes, patch)
2004-04-09 17:06 UTC, Steve Grubb 		no flags Details | Diff
View All

Description Steve Grubb 2004-04-09 17:04:54 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.4.2)
Gecko/20040308

Description of problem:
During a code review I found an out of bounds access error in the
pngerror.c file. Line 139 is this:

png_memcpy(buffer+iout, message, 64);

but in pngutil.c we see this:

png_chunk_error(png_ptr, "CRC error");

The upshot is that it will copy 54 bytes past the end of the
error string. This could cause a core dump.

Version-Release number of selected component (if applicable):
libpng-1.2.2-19.1

How reproducible:
Always

Steps to Reproduce:
Found during code review
    

Additional info:

I will attach a patch that measures the message's length and adjusts
the memcpy accordingly.
Comment 1 Steve Grubb 2004-04-09 17:06:38 UTC 
Created attachment 99278 [details]
Patch that fixes the problem

Please apply before Fedora Core 2 final.
Comment 2 Matthias Clasen 2004-04-23 14:14:04 UTC 

*** This bug has been marked as a duplicate of 121229 ***
Comment 3 Red Hat Bugzilla 2006-02-21 19:02:30 UTC 
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.
Note You need to log in before you can comment on or make changes to this bug.