[Zlib-devel] Just an opinion on the distance-checking problem
Gilles Vollant
info at winimage.com
Tue Mar 1 07:59:42 EST 2005
Mark wrote on this subject
"In my opinion, it is better to catch these than to let some buggy deflator
out there continue in its life of crime.".
I fully understand, but there is a bug risk : prevent migrating somes
software from zLib 1.1.4 to 1.2.2 or later.
When I wrote two week ago about the old URL problem with old version, (which
is now fixed), this is because I discover that a lot of software released
actually did not use the current zLib. For the user of library, if he
understand he risk less compatibility problem with 1.1.4 than 1.2.x, he will
use 1.1.4.
So, if this is technically possible for the next zLib 1.2.x to support these
buggy files without security problem and only very low performance cost, I
suggest zlib support these file.
About http://messy.desk.pl/mw/0000/mw__0020.png , I have found Scansoft
Omnipage 12 on one of my computer
I converted mw__0020.png to PCX , and converted the PCX to PNG with omnipage
and I obtained exactly the same file.
I can made more test if you want.
I found no string in image.dll of the software that show the library used to
deflate tne PNG
Omnipage is a well known software in the Windows world.
For end users, unlike TIFF, Png is always reliable format : all PNG
compliant apps open all PNG file (except Alpha information sometime
stripped).
I did not worked on the deflator myself, this is just an opinion. Excuse me
if this is not useful ! :-)
Gilles
More information about the Zlib-devel
mailing list