Bug 604082 (CVE-2016-10087)

Description Thomas Deutschmann (RETIRED) 2016-12-29 21:23:26 UTC

From: https://sourceforge.net/p/png-mng/mailman/message/35575076/

libpng-1.6.27, 1.5.28, and 1.2.57, plus legacy libpng-1.0.67 and 1.4.20, and
1.7.0beta86 are available from ftp://ftp.simplesystems.org/pub/png/src
and from http://libpng.sf.net

These all fix a potential "NULL dereference" bug that has existed in libpng
since version 0.71 of June 26, 1995.  To be vulnerable, an application
has to load a text chunk into the png structure, then delete all text, then
add another text chunk to the same png structure, which seems to be
an unlikely sequence, but it has happened.

libpng.3 synopses (Eric S. Raymond).
  Fixed undefined behavior in png_push_save_buffer(). Do not call
    memcpy() with a null source, even if count is zero (Leon Scroggins III).
  Fixed a potential null pointer dereference in png_set_text_2() (bug report
    and patch by Patrick Keshishian).

Libpng 1.4.20 - December 29, 2016

  Fix typos in libpng.3 synopses (Eric S. Raymond).
  Fixed undefined behavior in png_push_save_buffer(). Do not call
    memcpy() with a null source, even if count is zero (Leon Scroggins III).
  Fixed a potential null pointer dereference in png_set_text_2() (bug report
    and patch by Patrick Keshishian).

Libpng 1.5.28 - December 29, 2016

  Merged with current libpng16 gregbook, pngvalid.c, pngtest.c, pngminim,
    pngminus
  Added "Common linking failures" section to INSTALL.
  Fixed undefined behavior in png_push_save_buffer(). Do not call
    memcpy() with a null source, even if count is zero (Leon Scroggins III).
  Merge contrib/pngminim/*/makefile with libpng-1.6.24
  Minor editing of INSTALL, (whitespace, added copyright line)
  Removed the use of a macro containing the pre-processor 'defined'
    operator.  It is unclear whether this is valid; a macro that
    "generates" 'defined' is not permitted, but the use of the word
    "generates" within the C90 standard seems to imply more than simple
    substitution of an expression itself containing a well-formed defined
    operation.
  Previously the pngtrans.c code always resulted in an unsigned arithmetic
    overflow. This is well defined but produces errors from clang with the
    option to detect unsigned overflow. As the expression only gets
    evaluated once per row in this version of libpng it is easier just
    to rewrite it.
  The previous version of png.c produced a signed overflow as a result of
    both the "& 0xffff" on the most significant bits of a negative argument;
    this converted (-1) into 65535 which resulted in a subsequent overflow.
    Since signed overflow is undefined in C90 the code has been modified to
    correctly calculate a signed result.  This requires changing the 'hi'
    result parameter to a signed value.
  Fixed a potential null pointer dereference in png_set_text_2() (bug report
    and patch by Patrick Keshishian).

Libpng 1.6.27 - December 29, 2016

  Control ADLER32 checking with new PNG_IGNORE_ADLER32 option.
  Removed the use of a macro containing the pre-processor 'defined'
    operator.  It is unclear whether this is valid; a macro that
    "generates" 'defined' is not permitted, but the use of the word
    "generates" within the C90 standard seems to imply more than simple
    substitution of an expression itself containing a well-formed defined
    operation.
  Added ARM support to CMakeLists.txt (Andreas Franek).
  Fixed a potential null pointer dereference in png_set_text_2() (bug report
    and patch by Patrick Keshishian).

Version 1.7.0beta86 [December 29, 2016]
  Ported CMakeLists.txt from libpng-1.6.27rc01.
  Fixed a potential null pointer dereference in png_set_text_2() (bug report
    and patch by Patrick Keshishian).