Closed Bug 446582 Opened 11 years ago Closed 11 years ago

Memory leak with PNG iCCP chunk when color_management is enabled

Categories

(Core :: ImageLib, defect)

defect
Not set

Tracking

()

RESOLVED FIXED

People

(Reporter: glennrp+bmo, Assigned: glennrp+bmo)

References

Details

Attachments

(1 obsolete file)

A vulnerability has been reported to the libpng developers, whereby a PNG file with a malformed iCCP chunk can leak a large amount of memory (libpng detects the bad chunk but fails to free the data buffer).  It is fixed in libpng-1.2.30rc03.  A number of other ancillary PNG chunks are also vulnerable, but those are ignored by mozilla.  This vulnerability only exists in mozilla when color management is enabled.  It can be fixed in mozilla either by installing libpng-1.2.30 when it comes out in about a week from now, or by applying a small patch that only addresses the vulnerability in the iCCP chunk.
Glenn, I assume you'll be changing bug 418900 to reflect the release of 1.2.30 when it's out? If so, might as well make bug one depend on that one :)
Yes, I will, but that bug #418900 is stuck due to a vague report that it does not process some APNGs properly.  I can't proceed without some more details.  So I think we will probably also need the small specific bugfix here, even though it would be a lot nicer to keep the APNG fork in sync with regular libpng.
This patch was extracted from libpng-1.2.30rc04.
Libpng-1.2.31 has been released and contains the fix for this bug.  See bug #418900.
Depends on: 418900
Comment on attachment 330822 [details] [diff] [review]
Update trunk png/png_handle_iCCP to version 1.2.30

This patch is rendered obsolete by check-in of libpng-1.2.31 from bug #418900
Attachment #330822 - Attachment is obsolete: true
Resolved WORKSFORME now that libpng-1.2.31 is checked in.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
Resolved FIXED (by checkin of bug#418900), not WORKSFORME.
Resolution: WORKSFORME → FIXED
You need to log in before you can comment on or make changes to this bug.