Overview

File pngcheck-CVE-2020-27818.patch of Package pngcheck

Fix buffer overflow reported in RHBZ #1897485.

When char is signed, casting to a (signed) int directly could produce a
negative offset into the ASCII lookup table; adding an intermediate cast to uch
(a typedef for unsigned char) ensures a nonnegative offset no greater than 255,
which always corresponds to a valid table index.

diff -Naur pngcheck-2.3.0-original/pngcheck.c pngcheck-2.3.0/pngcheck.c
--- pngcheck-2.3.0-original/pngcheck.c  2007-07-08 02:23:31.000000000 -0400
+++ pngcheck-2.3.0/pngcheck.c   2020-11-13 11:24:31.039164410 -0500
@@ -4895,8 +4895,10 @@
 /* GRR 20061203:  now EBCDIC-safe */
 int check_chunk_name(char *chunk_name, char *fname)
 {
-  if (isASCIIalpha((int)chunk_name[0]) && isASCIIalpha((int)chunk_name[1]) &&
-      isASCIIalpha((int)chunk_name[2]) && isASCIIalpha((int)chunk_name[3]))
+  if (isASCIIalpha((int)(uch)chunk_name[0]) &&
+      isASCIIalpha((int)(uch)chunk_name[1]) &&
+      isASCIIalpha((int)(uch)chunk_name[2]) &&
+      isASCIIalpha((int)(uch)chunk_name[3]))
     return 0;

   printf("%s%s  invalid chunk name \"%.*s\" (%02x %02x %02x %02x)\n",
openSUSE Build Service is sponsored by
Places