[libpng15] Fixed undefined behavior in png_push_save_buffer(). Do not call

memcpy() with a null source, even if count is zero (Leon Scroggins III).
author: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> 2016-06-03 21:26:43 -0500
committer: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> 2016-06-03 21:26:43 -0500
commit: 6ddc038db9334f072f01df64c1d36ef491549e71 (patch)
tree: 83e038e58f7bad8f38a6b6b715ebe0c92e39dbfe
parent: c1ac308d12888bc2442eef29123c1d719261c25f (diff)
download: libpng-6ddc038db9334f072f01df64c1d36ef491549e71.tar.gz
3 files changed, 15 insertions, 6 deletions
diff --git a/ANNOUNCE b/ANNOUNCE
index e49e2abe0..4cbc78f12 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,5 +1,5 @@
 
-Libpng 1.5.28beta01 - May 31, 2016
+Libpng 1.5.28beta01 - June 4, 2016
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -26,8 +26,10 @@ Other information:
 
 Changes since the last public release (1.5.27):
 
-version 1.5.28beta01 [May 31, 2016]
+version 1.5.28beta01 [June 4, 2016]
   Merge with current libpng16 pngvalid.c
+  Fixed undefined behavior in png_push_save_buffer(). Do not call
+    memcpy() with a null source, even if count is zero (Leon Scroggins III).
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/CHANGES b/CHANGES
index 1c39d45f8..54ab54d4a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4496,8 +4496,10 @@ version 1.5.27rc01 [May 14, 2016]
 version 1.5.27 [May 26, 2016]
   No changes.
 
-version 1.5.28beta01 [May 31, 2016]
+version 1.5.28beta01 [June 4, 2016]
   Merge with current libpng16 pngvalid.c
+  Fixed undefined behavior in png_push_save_buffer(). Do not call
+    memcpy() with a null source, even if count is zero (Leon Scroggins III).
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/pngpread.c b/pngpread.c
index 9cf987d7e..bcd38cbc7 100644
--- a/pngpread.c
+++ b/pngpread.c
@@ -1,8 +1,8 @@
 
 /* pngpread.c - read a png file in push mode
  *
- * Last changed in libpng 1.5.23 [July 23, 2015]
- * Copyright (c) 1998-2002,2004,2006-2015 Glenn Randers-Pehrson
+ * Last changed in libpng 1.5.28 [(PENDING RELEASE)]
+ * Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
@@ -628,7 +628,12 @@ png_push_save_buffer(png_structp png_ptr)
          png_error(png_ptr, "Insufficient memory for save_buffer");
       }
 
-      png_memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size);
+      if (old_buffer)
+         png_memcpy(png_ptr->save_buffer, old_buffer,
+            png_ptr->save_buffer_size);
+      else if (png_ptr->save_buffer_size)
+         png_error(png_ptr, "save_buffer error");
+
       png_free(png_ptr, old_buffer);
       png_ptr->save_buffer_max = new_max;
    }
author	Glenn Randers-Pehrson <glennrp at users.sourceforge.net>	2016-06-03 21:26:43 -0500
committer	Glenn Randers-Pehrson <glennrp at users.sourceforge.net>	2016-06-03 21:26:43 -0500
commit	6ddc038db9334f072f01df64c1d36ef491549e71 (patch)
tree	83e038e58f7bad8f38a6b6b715ebe0c92e39dbfe
parent	c1ac308d12888bc2442eef29123c1d719261c25f (diff)
download	libpng-6ddc038db9334f072f01df64c1d36ef491549e71.tar.gz