diff options
author | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2017-08-05 20:51:23 -0500 |
---|---|---|
committer | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2017-08-05 20:51:23 -0500 |
commit | 39d84f4f6abd8b4f537e4e06d67b3b1907116bec (patch) | |
tree | 7790df8b732d77f1e3d8dd3a7513cc463e5a03f7 /pngrutil.c | |
parent | c5c778bcfc21182cf3896dcfa044e494d4f9b96c (diff) | |
download | libpng-39d84f4f6abd8b4f537e4e06d67b3b1907116bec.tar.gz |
[lbpng16] Attempt to fix a UMR in png_set_text_2() to fix OSS-fuzz issue.
Diffstat (limited to 'pngrutil.c')
-rw-r--r-- | pngrutil.c | 39 |
1 files changed, 22 insertions, 17 deletions
diff --git a/pngrutil.c b/pngrutil.c index 2cb0d0d7e..6c6a39a35 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -2636,23 +2636,28 @@ png_handle_zTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) { png_text text; - /* It worked; png_ptr->read_buffer now looks like a tEXt chunk except - * for the extra compression type byte and the fact that it isn't - * necessarily '\0' terminated. - */ - buffer = png_ptr->read_buffer; - buffer[uncompressed_length+(keyword_length+2)] = 0; - - text.compression = PNG_TEXT_COMPRESSION_zTXt; - text.key = (png_charp)buffer; - text.text = (png_charp)(buffer + keyword_length+2); - text.text_length = uncompressed_length; - text.itxt_length = 0; - text.lang = NULL; - text.lang_key = NULL; - - if (png_set_text_2(png_ptr, info_ptr, &text, 1) != 0) - errmsg = "insufficient memory"; + if (png_ptr->read_buffer == NULL) + errmsg="Read failure in png_handle_zTXt"; + else + { + /* It worked; png_ptr->read_buffer now looks like a tEXt chunk + * except for the extra compression type byte and the fact that + * it isn't necessarily '\0' terminated. + */ + buffer = png_ptr->read_buffer; + buffer[uncompressed_length+(keyword_length+2)] = 0; + + text.compression = PNG_TEXT_COMPRESSION_zTXt; + text.key = (png_charp)buffer; + text.text = (png_charp)(buffer + keyword_length+2); + text.text_length = uncompressed_length; + text.itxt_length = 0; + text.lang = NULL; + text.lang_key = NULL; + + if (png_set_text_2(png_ptr, info_ptr, &text, 1) != 0) + errmsg = "insufficient memory"; + } } else |