Re: Re: CVE request - read underflow in libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 (pngwutil.c)

[Glenn Randers-Pehrson <glennrp () gmail com>]

On Fri, Dec 11, 2015 at 10:36 AM, <cve-assign () mitre org> wrote:

> ...
>
> > there is a underflow read in png_check_keyword in pngwutil.c in
> libpng-1.2.54
>
> > if the data of "key" is only ' ' (0x20), it will read a byte before the
> buffer in line 1288.
>
> > it also impacts libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 .
>
> > > The bug was introduced in libpng-0.90, was fixed in libpng-1.6.0, and
> will be
> > > fixed in libpng-1.0.66, 1.2.56, 1.4.19, and 1.5.26.
>
> > https://sourceforge.net/p/libpng/bugs/244/
>
> This says the problem was on a "1288 while (kp == ' ')" line but that
> seems very confusing because that line doesn't appear to be present in
> libpng-1.2.54 or any other version. As far as we can tell, the
> unpatched code has
>
>   while (*kp == ' ')
>
> and the patched code has
>
>   while (key_len && *kp == ' ')

That's correct.  The bug tracker at SourceForge has an unpleasant effect
of removing asterisks, backticks, and whatnot from bug reports, thereby
making the reports very confusing.

Glenn