Red Hat Bugzilla – Bug 120508
CAN-2004-0421 libpng error reporting has out of bounds memory access
Last modified: 2007-11-30 17:10:40 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.4.2)
Description of problem:
During a code review I found an out of bounds access error in the
pngerror.c file. Line 139 is this:
png_memcpy(buffer+iout, message, 64);
but in pngutil.c we see this:
png_chunk_error(png_ptr, "CRC error");
The upshot is that it will copy 54 bytes past the end of the
error string. This could cause a core dump.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Found during code review
I will attach a patch that measures the message's length and adjusts
the memcpy accordingly.
Created attachment 99278 [details]
Patch that fixes the problem
Please apply before Fedora Core 2 final.
*** This bug has been marked as a duplicate of 121229 ***
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.