From 89158b9ad12a67e86bcc77119aeead6bc4d04dd6 Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Fri, 3 Jun 2016 18:40:42 -0500 Subject: [libpng16] Fixed undefined behavior in png_push_save_buffer(). Do not call memcpy() with a null source, even if count is zero (Leon Scroggins III). --- pngpread.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'pngpread.c') diff --git a/pngpread.c b/pngpread.c index 2e0208813..557153366 100644 --- a/pngpread.c +++ b/pngpread.c @@ -501,7 +501,10 @@ png_push_save_buffer(png_structrp png_ptr) png_error(png_ptr, "Insufficient memory for save_buffer"); } - memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size); + if (old_buffer) + memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size); + else if (png_ptr->save_buffer_size) + png_error(png_ptr, "save_buffer error"); png_free(png_ptr, old_buffer); png_ptr->save_buffer_max = new_max; } -- cgit v1.2.1