Fix undefined behavior in libpng

Check for a null source before calling memcpy. BUG=skia:5390 GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2040433002 Review-Url: https://codereview.chromium.org/2040433002
2016-06-03 09:36:53 -07:00 · 2016-06-03 09:36:53 -07:00 · 1915b0bab2
commit 1915b0bab2
parent 7b9eabb392
2 changed files with 12 additions and 0 deletions
--- a/third_party/libpng/README.google
+++ b/third_party/libpng/README.google
@ -9,3 +9,4 @@ Local Modifications:
    (2) Included Intel optimizations by running:
    "patch -i contrib/intel/intel_sse.patch -p1"
    (3) Removed files unused by Skia
+    (4) Fixed an undefined behavior bug (skbug.com/5390)
--- a/third_party/libpng/pngpread.c
+++ b/third_party/libpng/pngpread.c
@ -499,7 +499,18 @@ png_push_save_buffer(png_structrp png_ptr)
         png_error(png_ptr, "Insufficient memory for save_buffer");
      }

+#if 0
+      // This is the code checked into libpng. Calling memcpy with a null
+      // source is undefined, even if count is 0, but libpng does not
+      // currently check for null or 0. The Skia fix is below.
+      // skbug.com/5390
      memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size);
+#else
+      if (old_buffer)
+         memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size);
+      else if (png_ptr->save_buffer_size)
+         png_error(png_ptr, "save_buffer error");
+#endif
      png_free(png_ptr, old_buffer);
      png_ptr->save_buffer_max = new_max;
   }