[libpng16] Fixed undefined behavior in png_push_save_buffer(). Do not call

memcpy() with a null source, even if count is zero (Leon Scroggins III).
2016-06-03 18:40:42 -05:00 · 2016-06-03 18:40:42 -05:00 · 89158b9ad1
commit 89158b9ad1
parent 1fdac25f66
3 changed files with 12 additions and 1 deletions
--- a/4
+++ b/4
@ -41,6 +41,10 @@ Version 1.6.23rc01 [June 2, 2016]
  Moved sse2 prototype from pngpriv.h to contrib/intel/intel_sse.patch.
  Added missing ")" in pngerror.c (Matt Sarrett).

+Version 1.6.23rc02 [June 3, 2016]
+  Fixed undefined behavior in png_push_save_buffer(). Do not call
+    memcpy() with a null source, even if count is zero (Leon Scroggins III).
+
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement
--- a/4
+++ b/4
@ -5589,6 +5589,10 @@ Version 1.6.23rc01 [June 2, 2016]
  Moved sse2 prototype from pngpriv.h to contrib/intel/intel_sse.patch.
  Added missing ")" in pngerror.c (Matt Sarrett).

+Version 1.6.23rc02 [June 3, 2016]
+  Fixed undefined behavior in png_push_save_buffer(). Do not call
+    memcpy() with a null source, even if count is zero (Leon Scroggins III).
+
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement
--- a/pngpread.c
+++ b/pngpread.c
@ -501,7 +501,10 @@ png_push_save_buffer(png_structrp png_ptr)
         png_error(png_ptr, "Insufficient memory for save_buffer");
      }

-      memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size);
+      if (old_buffer)
+         memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size);
+      else if (png_ptr->save_buffer_size)
+         png_error(png_ptr, "save_buffer error");
      png_free(png_ptr, old_buffer);
      png_ptr->save_buffer_max = new_max;
   }