[devel] Fixed 1-byte uninitialized memory reference in png_format_buffer()

(Bug report by Frank Busse, related to CVE-2004-0421).
author: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> 2011-06-07 14:35:30 -0500
committer: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> 2011-06-07 14:35:30 -0500
commit: 07e1d34a8498ebcdaf33a438b6f476f84f7f2b53 (patch)
tree: ddc5b5ef12ac44848366a1b4dd1edc6843e2aa4c /pngerror.c
parent: 36edbb5eee1091a13f1058ee1ec7d518028a583a (diff)
download: libpng-07e1d34a8498ebcdaf33a438b6f476f84f7f2b53.tar.gz
1 files changed, 7 insertions, 2 deletions
diff --git a/pngerror.c b/pngerror.c
index 4881dfe82..419f83a7f 100644
--- a/pngerror.c
+++ b/pngerror.c
@@ -400,8 +400,13 @@ png_format_buffer(png_structp png_ptr, png_charp buffer, png_const_charp
    {
       buffer[iout++] = ':';
       buffer[iout++] = ' ';
-      png_memcpy(buffer + iout, error_message, PNG_MAX_ERROR_TEXT);
-      buffer[iout + PNG_MAX_ERROR_TEXT - 1] = '\0';
+
+      iin = 0;
+      while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] != '\0')
+         buffer[iout++] = error_message[iin++];
+
+      /* iin < PNG_MAX_ERROR_TEXT, so the following is safe: */
+      buffer[iout] = '\0';
    }
 }
 #endif /* PNG_WARNINGS_SUPPORTED || PNG_ERROR_TEXT_SUPPORTED */
author	Glenn Randers-Pehrson <glennrp at users.sourceforge.net>	2011-06-07 14:35:30 -0500
committer	Glenn Randers-Pehrson <glennrp at users.sourceforge.net>	2011-06-07 14:35:30 -0500
commit	07e1d34a8498ebcdaf33a438b6f476f84f7f2b53 (patch)
tree	ddc5b5ef12ac44848366a1b4dd1edc6843e2aa4c /pngerror.c
parent	36edbb5eee1091a13f1058ee1ec7d518028a583a (diff)
download	libpng-07e1d34a8498ebcdaf33a438b6f476f84f7f2b53.tar.gz