blob: c4f98c69a4d1ea89fa5d1cbb66bb6b12c5d92b39 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
This patch is taken from upstream and is a fix for CVE CVE-2011-2501
Description: fix denial of service via error message data
Origin: upstream, http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=65e6d5a34f49acdb362a0625a706c6b914e670af
Upstream-Status: Backport
Signed-off-by: Joshua Lock <josh@linux.intel.com>
Index: libpng-1.2.44/pngerror.c
===================================================================
--- libpng-1.2.44.orig/pngerror.c 2011-07-26 08:18:20.769498103 -0400
+++ libpng-1.2.44/pngerror.c 2011-07-26 08:18:32.819498098 -0400
@@ -181,8 +181,13 @@
{
buffer[iout++] = ':';
buffer[iout++] = ' ';
- png_memcpy(buffer + iout, error_message, PNG_MAX_ERROR_TEXT);
- buffer[iout + PNG_MAX_ERROR_TEXT - 1] = '\0';
+
+ iin = 0;
+ while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] != '\0')
+ buffer[iout++] = error_message[iin++];
+
+ /* iin < PNG_MAX_ERROR_TEXT, so the following is safe: */
+ buffer[iout] = '\0';
}
}
|
