You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
50 lines
1.4 KiB
50 lines
1.4 KiB
Patch from:
|
|
|
|
http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=65e6d5a34f49acdb362a0625a706c6b914e670af
|
|
|
|
to fix:
|
|
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=717510
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=717511
|
|
CVE-2011-2501
|
|
|
|
I have modified this patch to remove the changes to ANNOUNCE
|
|
and CHANGES files, and the hunk in pngerror.c which just updates
|
|
a comment.
|
|
|
|
- RWMJ.
|
|
|
|
From 65e6d5a34f49acdb362a0625a706c6b914e670af Mon Sep 17 00:00:00 2001
|
|
From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
|
|
Date: Tue, 7 Jun 2011 14:58:07 -0500
|
|
Subject: [PATCH] [master] Fixed 1-byte uninitialized memory reference in png_format_buffer()
|
|
|
|
(Bug report by Frank Busse, related to CVE-2004-0421).
|
|
---
|
|
ANNOUNCE | 6 ++++--
|
|
CHANGES | 4 +++-
|
|
pngerror.c | 11 ++++++++---
|
|
3 files changed, 15 insertions(+), 6 deletions(-)
|
|
|
|
--- a/pngerror.c
|
|
+++ b/pngerror.c
|
|
@@ -186,8 +186,13 @@ png_format_buffer(png_structp png_ptr, png_charp buffer, png_const_charp
|
|
{
|
|
buffer[iout++] = ':';
|
|
buffer[iout++] = ' ';
|
|
- png_memcpy(buffer + iout, error_message, PNG_MAX_ERROR_TEXT);
|
|
- buffer[iout + PNG_MAX_ERROR_TEXT - 1] = '\0';
|
|
+
|
|
+ iin = 0;
|
|
+ while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] != '\0')
|
|
+ buffer[iout++] = error_message[iin++];
|
|
+
|
|
+ /* iin < PNG_MAX_ERROR_TEXT, so the following is safe: */
|
|
+ buffer[iout] = '\0';
|
|
}
|
|
}
|
|
|
|
--
|
|
1.7.0.1
|
|
|