Integer overflow in the libpng PNG library, which could lead to the execution of arbitrary code if a malformed image is processed

Bug #934372 reported by Zubin Mithra
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libpng (Ubuntu)
Fix Released
Undecided
Jamie Strandboge

Bug Description

Integer overflow in the libpng PNG library, which could lead to the execution
of arbitrary code if a malformed image is processed

The line,
png_charp text = png_malloc_warn(png_ptr, prefix_size + expanded_size + 1);

inside libpng/pngrutil.c needs to be checked for truncation and integer overflow.

CVE-2011-3026.

http://src.chromium.org/viewvc/chrome/branches/963/src/third_party/libpng/pngrutil.c?view=patch&r1=121492&r2=121491&pathrev=121492

CVE References

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for using Ubuntu and reporting a bug. This is already fixed in 1.2.46-3ubuntu2 in Ubuntu 12.04 and the stable releases of Ubuntu in http://www.ubuntu.com/usn/usn-1367-1/.

visibility: private → public
Changed in libpng (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.