[libpng14] Fixed a potential null pointer dereference in png_set_text_2()

(bug report and patch by Patrick Keshishian)

3 files changed, 5 insertions, 0 deletions

diff --git a/ANNOUNCE b/ANNOUNCE
index d5685e461..d4b6ac8d4 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -28,6 +28,8 @@ Changes since the last public release (1.4.19):
   Fix typos in libpng.3 synopses (Eric S. Raymond).
   Fixed undefined behavior in png_push_save_buffer(). Do not call
     memcpy() with a null source, even if count is zero (Leon Scroggins III).
+  Fixed a potential null pointer dereference in png_set_text_2() (bug report
+    and patch by Patrick Keshishian)
 
 Send comments/corrections/commendations to glennrp at users.sourceforge.net
 or to png-mng-implement at lists.sf.net (subscription required; visit
diff --git a/CHANGES b/CHANGES
index 94ef0038e..10ae5405a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3040,6 +3040,8 @@ version 1.4.20rc01 [December 27, 2016]
     memcpy() with a null source, even if count is zero (Leon Scroggins III).
 
 version 1.4.20 [December 29, 2016]
+  Fixed a potential null pointer dereference in png_set_text_2() (bug report
+    and patch by Patrick Keshishian).
 
 Send comments/corrections/commendations to glennrp at users.sourceforge.net
 or to png-mng-implement at lists.sf.net (subscription required; visit
diff --git a/png.c b/png.c
index bd9d6acdc..d2d92465b 100644
--- a/png.c
+++ b/png.c
@@ -279,6 +279,7 @@ png_free_data(png_structp png_ptr, png_infop info_ptr, png_uint_32 mask,
          png_free(png_ptr, info_ptr->text);
          info_ptr->text = NULL;
          info_ptr->num_text=0;
+         info_ptr->max_text=0;
       }
    }
 #endif