[Zlib-devel] known bugs in distance-checking code?
Greg Roelofs
newt at pobox.com
Wed Feb 23 16:03:47 EST 2005
Glenn wrote:
> but this only dumps core, whether I use libpng or libmng to read one of
> the buggy PNGs. #:-(
> what am I missing?
Um...Mark's earlier message, maybe?
>> The old inflate assured that the copies were always done from within
>> the sliding window, which was treated as circular.
[...]
>> That may be a little difficult, since one of the ways that the new
>> inflate is faster than the old one is that it doesn't even create a
>> sliding window until it needs to, and then only uses it sparingly. As
>> a result, when inflate first starts up, it uses the user-supplied
>> output buffer as the window. That means without the distance check, it
>> would try to access memory before the user-supplied output buffer,
>> which may cause an exception. There would need to be special code
>> added to write zeros for matches with distances too far back.
So, ultimately the issue is about performance: to use the new and faster
code, the check must be there, and therefore the bad images will fail.
To see the bad images you must use 1.1.4 or earlier, or else retrofit a
compatibility version into 1.2.x. (In fact, since most of the bad ones
die very quickly, you could use the old version as a fallback if the
new code doesn't work. Of course, the Moz guys would never go for that
since it would bloat the code beyond the 1 TB limit...)
Greg
P.S. Yes, that was sarcasm.
More information about the Zlib-devel
mailing list