[Zlib-devel] known bugs in distance-checking code?
Mark Adler
madler at alumni.caltech.edu
Wed Feb 23 11:36:12 EST 2005
On Feb 23, 2005, at 12:19 AM, Greg Roelofs wrote:
> Someone reported a pile
> of scanned PNGs (still unknown encoding software), most of which
> fail in zlib 1.2.x with "invalid distance too far back." Here's
> an example:
>
> http://messy.desk.pl/mw/0000/mw__0020.png
Greg,
That png does indeed have an invalid distance too far back. The
relevant portions are shown below disassembled. There are five
literals followed by a match with distance 132. The maximum distance
allowed at that point is five. With the old inflate, it will most
likely copy zeros from the sliding window, since it was allocated with
calloc(), if this is the first use of that window. If the inflate
structure is being reused, e.g. with inflateReset(), then it would copy
something from near the end of the last image.
So the png file was improperly generated somehow. In my opinion, it is
better to catch these than to let some buggy deflator out there
continue in its life of crime.
mark
gromit% pngdat < mw__0020.png | infgen
! infgen 1.0 output
!
zlib
!
dynamic
code 0 3
...
dist 29 4
literal 0 255 255 255 192
match 128 132
...
More information about the Zlib-devel
mailing list