[libpng12] Fixed undefined behavior in png_push_save_buffer(). Do not call

memcpy() with a null source, even if count is zero (Leon Scroggins III).
author: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> 2016-06-03 21:23:10 -0500
committer: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> 2016-06-03 21:23:10 -0500
commit: 01a1fd6ea5a0ec8041bb34ebe7cc4978d1c848c0 (patch)
tree: 6f3059b20a9a6e0848142ba9644e40743cfa8ac1
parent: 08e993c0563c211822ad7eb275129d15dff7fba1 (diff)
download: libpng-01a1fd6ea5a0ec8041bb34ebe7cc4978d1c848c0.tar.gz
3 files changed, 15 insertions, 6 deletions
diff --git a/ANNOUNCE b/ANNOUNCE
index c9ad48c86..0b7d4c80a 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,5 +1,5 @@
 
-Libpng 1.2.57beta01 - March 1, 2016
+Libpng 1.2.57beta01 - June 4, 2016
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -40,8 +40,10 @@ Other information:
 
 Changes since the last public release (1.2.56):
 
-version 1.2.57beta01 [March 1, 2016]
+version 1.2.57beta01 [June 4, 2016]
   Fix typos in libpng.3 synopses (Eric S. Raymond).
+  Fixed undefined behavior in png_push_save_buffer(). Do not call
+    memcpy() with a null source, even if count is zero (Leon Scroggins III).
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/CHANGES b/CHANGES
index 83ae8c057..bcdd751be 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2920,8 +2920,10 @@ version 1.2.56rc01 [December 14, 2015]
 version 1.2.56 [December 17, 2015]
   No changes.
 
-version 1.2.57beta01 [March 1, 2016]
+version 1.2.57beta01 [June 4, 2016]
   Fix typos in libpng.3 synopses (Eric S. Raymond).
+  Fixed undefined behavior in png_push_save_buffer(). Do not call
+    memcpy() with a null source, even if count is zero (Leon Scroggins III).
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/pngpread.c b/pngpread.c
index 4c9ae765c..e66eb768c 100644
--- a/pngpread.c
+++ b/pngpread.c
@@ -1,8 +1,8 @@
 
 /* pngpread.c - read a png file in push mode
  *
- * Last changed in libpng 1.2.44 [June 26, 2010]
- * Copyright (c) 1998-2002,2004,2006-2010 Glenn Randers-Pehrson
+ * Last changed in libpng 1.2.57 [(TO BE RELEASED)]
+ * Copyright (c) 1998-2002,2004,2006-2010,2016 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
@@ -687,7 +687,12 @@ png_push_save_buffer(png_structp png_ptr)
       }
       else
       {
-        png_memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size);
+        if (old_buffer)
+          png_memcpy(png_ptr->save_buffer, old_buffer,
+             png_ptr->save_buffer_size);
+        else if (png_ptr->save_buffer_size)
+          png_error(png_ptr, "save_buffer error");
+        png_memcpy(png_ptr->save_buffer, old_buffer,png_ptr->save_buffer_size);
         png_free(png_ptr, old_buffer);
         png_ptr->save_buffer_max = new_max;
       }
author	Glenn Randers-Pehrson <glennrp at users.sourceforge.net>	2016-06-03 21:23:10 -0500
committer	Glenn Randers-Pehrson <glennrp at users.sourceforge.net>	2016-06-03 21:23:10 -0500
commit	01a1fd6ea5a0ec8041bb34ebe7cc4978d1c848c0 (patch)
tree	6f3059b20a9a6e0848142ba9644e40743cfa8ac1
parent	08e993c0563c211822ad7eb275129d15dff7fba1 (diff)
download	libpng-01a1fd6ea5a0ec8041bb34ebe7cc4978d1c848c0.tar.gz