[libpng12] Fixed undefined behavior in png_push_save_buffer(). Do not call

memcpy() with a null source, even if count is zero (Leon Scroggins III).
2025-07-10 18:04:09 +02:00 · 2016-06-03 21:23:10 -05:00
parent 08e993c056
commit 01a1fd6ea5
3 changed files with 15 additions and 6 deletions
--- a/pngpread.c
+++ b/pngpread.c
@@ -1,8 +1,8 @@

 /* pngpread.c - read a png file in push mode
 *
- * Last changed in libpng 1.2.44 [June 26, 2010]
- * Copyright (c) 1998-2002,2004,2006-2010 Glenn Randers-Pehrson
+ * Last changed in libpng 1.2.57 [(TO BE RELEASED)]
+ * Copyright (c) 1998-2002,2004,2006-2010,2016 Glenn Randers-Pehrson
 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
 *
@@ -687,7 +687,12 @@ png_push_save_buffer(png_structp png_ptr)
      }
      else
      {
-        png_memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size);
+        if (old_buffer)
+          png_memcpy(png_ptr->save_buffer, old_buffer,
+             png_ptr->save_buffer_size);
+        else if (png_ptr->save_buffer_size)
+          png_error(png_ptr, "save_buffer error");
+        png_memcpy(png_ptr->save_buffer, old_buffer,png_ptr->save_buffer_size);
        png_free(png_ptr, old_buffer);
        png_ptr->save_buffer_max = new_max;
      }