diff options
author | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2016-06-03 21:23:10 -0500 |
---|---|---|
committer | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2016-06-03 21:23:10 -0500 |
commit | 01a1fd6ea5a0ec8041bb34ebe7cc4978d1c848c0 (patch) | |
tree | 6f3059b20a9a6e0848142ba9644e40743cfa8ac1 | |
parent | 08e993c0563c211822ad7eb275129d15dff7fba1 (diff) | |
download | libpng-01a1fd6ea5a0ec8041bb34ebe7cc4978d1c848c0.tar.gz |
[libpng12] Fixed undefined behavior in png_push_save_buffer(). Do not call
memcpy() with a null source, even if count is zero (Leon Scroggins III).
-rw-r--r-- | ANNOUNCE | 6 | ||||
-rw-r--r-- | CHANGES | 4 | ||||
-rw-r--r-- | pngpread.c | 11 |
3 files changed, 15 insertions, 6 deletions
@@ -1,5 +1,5 @@ -Libpng 1.2.57beta01 - March 1, 2016 +Libpng 1.2.57beta01 - June 4, 2016 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -40,8 +40,10 @@ Other information: Changes since the last public release (1.2.56): -version 1.2.57beta01 [March 1, 2016] +version 1.2.57beta01 [June 4, 2016] Fix typos in libpng.3 synopses (Eric S. Raymond). + Fixed undefined behavior in png_push_save_buffer(). Do not call + memcpy() with a null source, even if count is zero (Leon Scroggins III). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit @@ -2920,8 +2920,10 @@ version 1.2.56rc01 [December 14, 2015] version 1.2.56 [December 17, 2015] No changes. -version 1.2.57beta01 [March 1, 2016] +version 1.2.57beta01 [June 4, 2016] Fix typos in libpng.3 synopses (Eric S. Raymond). + Fixed undefined behavior in png_push_save_buffer(). Do not call + memcpy() with a null source, even if count is zero (Leon Scroggins III). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/pngpread.c b/pngpread.c index 4c9ae765c..e66eb768c 100644 --- a/pngpread.c +++ b/pngpread.c @@ -1,8 +1,8 @@ /* pngpread.c - read a png file in push mode * - * Last changed in libpng 1.2.44 [June 26, 2010] - * Copyright (c) 1998-2002,2004,2006-2010 Glenn Randers-Pehrson + * Last changed in libpng 1.2.57 [(TO BE RELEASED)] + * Copyright (c) 1998-2002,2004,2006-2010,2016 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -687,7 +687,12 @@ png_push_save_buffer(png_structp png_ptr) } else { - png_memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size); + if (old_buffer) + png_memcpy(png_ptr->save_buffer, old_buffer, + png_ptr->save_buffer_size); + else if (png_ptr->save_buffer_size) + png_error(png_ptr, "save_buffer error"); + png_memcpy(png_ptr->save_buffer, old_buffer,png_ptr->save_buffer_size); png_free(png_ptr, old_buffer); png_ptr->save_buffer_max = new_max; } |