Fwd: [OpenPKG-SA-2004.035] OpenPKG Security Advisory (png)

Matthias B. msbREMOVE-THIS at winterdrache.de
Sat Aug 7 06:57:47 PDT 2004


On Fri, 6 Aug 2004 13:06:38 +0100 Ian Molton <spyro at f2s.com> wrote:

> On Thu, 5 Aug 2004 15:16:02 +0100
> Ian Molton <spyro at f2s.com> wrote:
> 
> > > Looks like it's much more that png that we need to worry about.
> > 
> > not me... the joys of dynamic linking - not one of my programs
> > contains a static libpng (I just checked).
> 
> Interestingly, interlaced PNGs seem to render wrong in mozilla since
> upgrading libpng. only in moz though - nautilus, gimp, etc. are fine.-- 

The bug is in the progressive reading code. Nautilus et al probably don't
do progressive reading as they don't read from the net but from disk. The
following patch will fix the problem:

--- libpng-1.2.6rc1/pngpread.c  Wed Aug  4 18:18:30 2004
+++ libpng-1.2.6rc2/pngpread.c  Fri Aug  6 16:40:11 2004
@@ -1009,7 +1009,7 @@
             png_pass_inc[png_ptr->pass];

          png_ptr->irowbytes = PNG_ROWBYTES(png_ptr->pixel_depth,
-            png_ptr->iwidth);
+            png_ptr->iwidth) + 1;

          if (png_ptr->transformations & PNG_INTERLACE)
             break;


MSB

-- 
Only two of my personalities are schizophrenic,
but one of them is paranoid and the other one is out to get him.




More information about the lfs-security mailing list