Last Comment Bug 242915 - PNG out-of-bounds read during error message processing
: PNG out-of-bounds read during error message processing
Status: VERIFIED FIXED
[sg:dos]
: fixed1.4.3, verified1.7
Product: Core
Classification: Components
Component: ImageLib (show other bugs)
: Trunk
: All All
: -- normal (vote)
: ---
Assigned To: Glenn Randers-Pehrson
:
Mentors:
http://libpng.sourceforge.net/crasher...
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-05-07 03:45 PDT by Glenn Randers-Pehrson
Modified: 2004-07-08 13:20 PDT (History)
4 users (show)
chofmann: blocking1.7+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
patch for PNG read-out-of-bounds bug in pngerror (1.32 KB, patch)
2004-05-07 03:48 PDT, Glenn Randers-Pehrson
tor: review+
tor: superreview+
caillon: approval1.4.3+
dveditz: approval1.7+
Details | Diff | Review

Description Glenn Randers-Pehrson 2004-05-07 03:45:32 PDT
A bug in pngerror.c has been discovered recently and reported to bugtraq and
various distro mailing lists.  The PNG Group has developed and released a patch
for the bug.  It is highly unlikely that the bug could actually be exploited.
Comment 1 Glenn Randers-Pehrson 2004-05-07 03:48:17 PDT
Created attachment 147883 [details] [diff] [review]
patch for PNG read-out-of-bounds bug in pngerror

Here is a copy of the PNG group's patch.  It uses strncpy() while some distro
vendors are providing a patch that uses strlen() followed by memcpy().	The PNG
group believes that the strncpy solution is more robust.
Comment 2 Glenn Randers-Pehrson 2004-05-07 04:40:39 PDT
Comment on attachment 147883 [details] [diff] [review]
patch for PNG read-out-of-bounds bug in pngerror

tor: r?
Comment 3 tor 2004-05-07 10:17:11 PDT
Checked in on trunk.
Comment 4 Daniel Veditz [:dveditz] 2004-05-07 10:40:28 PDT
Comment on attachment 147883 [details] [diff] [review]
patch for PNG read-out-of-bounds bug in pngerror

a=dveditz for 1.7
Comment 5 Daniel Veditz [:dveditz] 2004-05-07 10:42:03 PDT
Sorry for bug spam, setting and clearing security flag so it'll show up on the
right queries
Comment 6 Daniel Veditz [:dveditz] 2004-05-07 10:49:36 PDT
Checked in on 1.7 branch
Comment 7 tor 2004-05-07 12:50:46 PDT
In on trunk/branch - closing.
Comment 9 Daniel Veditz [:dveditz] 2004-06-17 13:36:03 PDT
Adding Jon Granrose to CC list to help round up QA resources for verification
Comment 10 Jon Granrose 2004-06-18 09:41:35 PDT
adding tracy to verify on 1.7
Comment 11 Tracy Walker [:tracy] 2004-06-21 15:00:07 PDT
Glenn, can you provide a test case or verify this is fixed in 1.7?
Comment 12 Glenn Randers-Pehrson 2004-06-21 16:25:31 PDT
There is no exploit, to my knowledge, nor any test case.  I have just examined
the source code of a fresh checkout of Moz-1.7 and can verify that the bug has
been fixed.  However, the trunk version of MOZCHANGES wasn't checked in to Moz-1.7.
Comment 13 Tracy Walker [:tracy] 2004-06-22 09:13:48 PDT
verified per reporters comments
Comment 14 Christopher Aillon (sabbatical, not receiving bugmail) 2004-07-08 13:19:42 PDT
Comment on attachment 147883 [details] [diff] [review]
patch for PNG read-out-of-bounds bug in pngerror

a=blizzard

Note You need to log in before you can comment on or make changes to this bug.