From 01a1fd6ea5a0ec8041bb34ebe7cc4978d1c848c0 Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Fri, 3 Jun 2016 21:23:10 -0500 Subject: [PATCH] [libpng12] Fixed undefined behavior in png_push_save_buffer(). Do not call memcpy() with a null source, even if count is zero (Leon Scroggins III). --- ANNOUNCE | 6 ++++-- CHANGES | 4 +++- pngpread.c | 11 ++++++++--- 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/ANNOUNCE b/ANNOUNCE index c9ad48c8..0b7d4c80 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,5 +1,5 @@ -Libpng 1.2.57beta01 - March 1, 2016 +Libpng 1.2.57beta01 - June 4, 2016 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -40,8 +40,10 @@ Other information: Changes since the last public release (1.2.56): -version 1.2.57beta01 [March 1, 2016] +version 1.2.57beta01 [June 4, 2016] Fix typos in libpng.3 synopses (Eric S. Raymond). + Fixed undefined behavior in png_push_save_buffer(). Do not call + memcpy() with a null source, even if count is zero (Leon Scroggins III). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/CHANGES b/CHANGES index 83ae8c05..bcdd751b 100644 --- a/CHANGES +++ b/CHANGES @@ -2920,8 +2920,10 @@ version 1.2.56rc01 [December 14, 2015] version 1.2.56 [December 17, 2015] No changes. -version 1.2.57beta01 [March 1, 2016] +version 1.2.57beta01 [June 4, 2016] Fix typos in libpng.3 synopses (Eric S. Raymond). + Fixed undefined behavior in png_push_save_buffer(). Do not call + memcpy() with a null source, even if count is zero (Leon Scroggins III). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/pngpread.c b/pngpread.c index 4c9ae765..e66eb768 100644 --- a/pngpread.c +++ b/pngpread.c @@ -1,8 +1,8 @@ /* pngpread.c - read a png file in push mode * - * Last changed in libpng 1.2.44 [June 26, 2010] - * Copyright (c) 1998-2002,2004,2006-2010 Glenn Randers-Pehrson + * Last changed in libpng 1.2.57 [(TO BE RELEASED)] + * Copyright (c) 1998-2002,2004,2006-2010,2016 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -687,7 +687,12 @@ png_push_save_buffer(png_structp png_ptr) } else { - png_memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size); + if (old_buffer) + png_memcpy(png_ptr->save_buffer, old_buffer, + png_ptr->save_buffer_size); + else if (png_ptr->save_buffer_size) + png_error(png_ptr, "save_buffer error"); + png_memcpy(png_ptr->save_buffer, old_buffer,png_ptr->save_buffer_size); png_free(png_ptr, old_buffer); png_ptr->save_buffer_max = new_max; }