diff options
author | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2016-06-03 18:40:42 -0500 |
---|---|---|
committer | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2016-06-03 18:40:42 -0500 |
commit | 89158b9ad12a67e86bcc77119aeead6bc4d04dd6 (patch) | |
tree | 7c2c1b54417ed3579bce6554e660dbdebfa4a231 | |
parent | 1fdac25f66f885bb59766309e2cc6775ae5a1197 (diff) | |
download | libpng-89158b9ad12a67e86bcc77119aeead6bc4d04dd6.tar.gz |
[libpng16] Fixed undefined behavior in png_push_save_buffer(). Do not call
memcpy() with a null source, even if count is zero (Leon Scroggins III).
-rw-r--r-- | ANNOUNCE | 4 | ||||
-rw-r--r-- | CHANGES | 4 | ||||
-rw-r--r-- | pngpread.c | 5 |
3 files changed, 12 insertions, 1 deletions
@@ -41,6 +41,10 @@ Version 1.6.23rc01 [June 2, 2016] Moved sse2 prototype from pngpriv.h to contrib/intel/intel_sse.patch. Added missing ")" in pngerror.c (Matt Sarrett). +Version 1.6.23rc02 [June 3, 2016] + Fixed undefined behavior in png_push_save_buffer(). Do not call + memcpy() with a null source, even if count is zero (Leon Scroggins III). + Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement @@ -5589,6 +5589,10 @@ Version 1.6.23rc01 [June 2, 2016] Moved sse2 prototype from pngpriv.h to contrib/intel/intel_sse.patch. Added missing ")" in pngerror.c (Matt Sarrett). +Version 1.6.23rc02 [June 3, 2016] + Fixed undefined behavior in png_push_save_buffer(). Do not call + memcpy() with a null source, even if count is zero (Leon Scroggins III). + Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement diff --git a/pngpread.c b/pngpread.c index 2e0208813..557153366 100644 --- a/pngpread.c +++ b/pngpread.c @@ -501,7 +501,10 @@ png_push_save_buffer(png_structrp png_ptr) png_error(png_ptr, "Insufficient memory for save_buffer"); } - memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size); + if (old_buffer) + memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size); + else if (png_ptr->save_buffer_size) + png_error(png_ptr, "save_buffer error"); png_free(png_ptr, old_buffer); png_ptr->save_buffer_max = new_max; } |