20 lines
639 B
Diff
20 lines
639 B
Diff
Fix for CVE-2007-2445 --- libpng crashes if CRC error is detected in
|
|
a grayscale tRNS chunk, because png_handle_tRNS leaves inconsistent state
|
|
which eventually leads to attempting to free() unallocated memory.
|
|
|
|
|
|
diff -Naur libpng-1.2.16.orig/pngrutil.c libpng-1.2.16/pngrutil.c
|
|
--- libpng-1.2.16.orig/pngrutil.c 2007-01-31 08:22:35.000000000 -0500
|
|
+++ libpng-1.2.16/pngrutil.c 2007-05-12 17:07:41.000000000 -0400
|
|
@@ -1314,7 +1314,10 @@
|
|
}
|
|
|
|
if (png_crc_finish(png_ptr, 0))
|
|
+ {
|
|
+ png_ptr->num_trans = 0;
|
|
return;
|
|
+ }
|
|
|
|
png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans,
|
|
&(png_ptr->trans_values));
|