[legacy] Return allocated "old_buffer" in png_push_save_buffer()

before png_error(), to avoid a memory leak.

ANNOUNCE

@@ -64,6 +64,7 @@ version 1.2.43beta05 [February 7, 2010]
   Reverted recent changes to png_push_save-buffer().
   Removed PNGAPI declaration of png_calloc() and png_write_sig() in
     1ibpng-1.2.X, introduced by mistake in libpng-1.2.41.
+  Return allocated "old_buffer" in png_push_save_buffer() before png_error().
 
 version 1.0.53rc01 and 1.2.43rc01 [February 8, 2010]
   No changes.

CHANGES

@@ -2662,10 +2662,11 @@ version 1.2.43beta03 [February 6, 2010]
 version 1.2.43beta04 [February 7, 2010]
   Fixed incorrect test in new png_push_save_buffer() code.
 
-version 1.2.43beta05 [February 7, 2010]
+version 1.2.43beta05 [February 8, 2010]
   Reverted recent changes to png_push_save-buffer().
   Removed PNGAPI declaration of png_calloc() and png_write_sig() in
     1ibpng-1.2.X, introduced by mistake in libpng-1.2.41.
+  Return allocated "old_buffer" in png_push_save_buffer() before png_error().
 
 version 1.0.53rc01 and 1.2.43rc01 [February 8, 2010]
   No changes.

pngpread.c

@@ -702,8 +702,13 @@ png_push_save_buffer(png_structp png_ptr)
 
       new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256;
       old_buffer = png_ptr->save_buffer;
-      png_ptr->save_buffer = (png_bytep)png_malloc(png_ptr,
+      png_ptr->save_buffer = (png_bytep)png_malloc_warn(png_ptr,
          (png_uint_32)new_max);
+      if (png_ptr->save_buffer == NULL)
+      {
+        png_free(png_ptr, old_buffer);
+        png_error(png_ptr, "Insufficient memory for save_buffer");
+      }
       png_memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size);
       png_free(png_ptr, old_buffer);
       png_ptr->save_buffer_max = new_max;