with certain png files png_write_iCCP tryies to malloc about 2^64 +/- 128 bytes (or 2^32 +/- 128bytes on 32bit archs) because of unspecified variable types where | operates signed values and produces negative value. patch: --- pngwutil.c.orig 2006-11-28 17:25:59.000000000 +0100 +++ pngwutil.c 2006-12-27 15:47:53.000000000 +0100 @@ -733,7 +733,7 @@ png_write_iCCP(png_structp png_ptr, png_ png_size_t name_len; png_charp new_name; compression_state comp; - int embedded_profile_len = 0; + unsigned int embedded_profile_len = 0; png_debug(1, "in png_write_iCCP\n"); @@ -757,8 +757,8 @@ png_write_iCCP(png_structp png_ptr, png_ profile_len = 0; if (profile_len > 3) - embedded_profile_len = ((*(profile ))<<24) | ((*(profile+1))<<16) | - ((*(profile+2))<< 8) | ((*(profile+3)) ); + embedded_profile_len = (((png_byte)(*(profile)))<<24) | (((png_byte)(*(profile+1)))<<16) | + (((png_byte)(*(profile+2)))<< 8) | ((png_byte)(*(profile+3))); if (profile_len < embedded_profile_len) {
Created attachment 104809 [details, diff] Patch for libpng-1.2.13 and 1.2.14
where did this patch come from ?
This was my patch i sent it to current libpng maintainer too. Heres reply i got: from glennrp@comcast.net <glennrp@comcast.net> to torindel <torindel@gmail.com> date Dec 27, 2006 5:39 PM subject Re: libpng memleak mailed-by comcast.net Already fixed in libpng-1.2.15rc4 We didn't change the type of embedded_profile_len but did add the (png_byte) typecasting. Please see if rc4 works for you. GLenn -------------- Original message ---------------------- From: torindel <torindel@gmail.com> > Hey, > on amd64 with certain png files png_write_iCCP tryies to malloc about > 2^64 +/- 128 bytes because of unspecified variable types where | > operates signed values and produces negative value, heres patch vs > 1.2.14: > > --- > pngwutil.c.orig 2006-11-28 17:25:59.000000000 +0100 > +++ pngwutil.c 2006-12-27 15:47:53.000000000 +0100 > @@ -733,7 +733,7 @@ png_write_iCCP(png_structp png_ptr, png_ > png_size_t name_len; > png_charp new_name; > > compression_state comp; > - int embedded_profile_len = 0; > + unsigned int embedded_profile_len = 0; > > png_debug(1, "in png_write_iCCP\n"); > > @@ -757,8 +757,8 @@ png_write_iCCP(png_structp png_ptr, png_ > > profile_len = 0; > > if (profile_len > 3) > - embedded_profile_len = ((*(profile ))<<24) | ((*(profile+1))<<16) | > - ((*(profile+2))<< 8) | ((*(profile+3)) ); > > + embedded_profile_len = (((png_byte)(*(profile)))<<24) | > (((png_byte)(*(profile+1)))<<16) | > + (((png_byte)(*(profile+2)))<< 8) | ((png_byte)(*(profile+3))); > > if (profile_len < embedded_profile_len) > > { Solution would be either masking everything pre libpng-1.2.15rc4 in portage or applying my patch to above. This bug appears even during normal emerges (making docs) or during normal work with apps using libpng. eg.: imagemagick was emerged vs broken libpng and you start emergeing gimp-help with USE="imagemagick". Result? convert from imagemagick ebuild either segfaults or memleaks while emerge.
yeah, masking versions doesnt make any sense at all
Created attachment 105035 [details, diff] libpng 1.2.14 vs 1.2.15rc5 diff
fixed in 1.2.14-r1
fix it in 1.2.13 and 1.2.12 too
no